Cisco  CSO:  We  have  been  a  little  lucky 

Cisco  CSO  John  Stewart  says  that  the  company 
has  been  "a  little  lucky”  in  that  it  has  not  had 
major  security  flare-ups,  but  he's  not  taking  any¬ 
thing  for  granted.  Page  20. 


Palo  Alto  Networks  PA4020  firewall 

New  device  offers  innovative  twist  on  traditional 
firewall  by  providing  unprecedented  visibility 
into  what's  happening  on  the  network.  Page  31. 


app  performance 

How  to  handle  vexing 
application  perfor¬ 
mance  issues,  from 
ineffective  QoS  poli¬ 
cies  to  misconfigured 
DNS  servers. 

Page  12. 


Black  Hat 
spotlights 
virtualization, 
DNS  issues 


Juniper  extends  net 
mgmt.  reach 

Juniper  brought 
together  disparate 
net  management  pro¬ 
grams  under  the  lat¬ 
est  version  of  its 
Network  and  Security 
Management  soft¬ 
ware.  Page  16. 

Merrill  Lynch  build¬ 
ing  stateless  data 
center 

The  financial  giant  is 
building  a  data  center 
where  it  can  dynami¬ 
cally  combine  capaci¬ 
ty  with  application 
components  to  meet 
its  computing  needs 
in  real  time.  Page  18. 

Google  Search 


BY  ROBERT  MCMILLAN,  TIM 
GREENE  AND  ELLEN  MESSMER 

LAS  VEGAS  —  The  12th  Black 
Hat  conference  convened  at 
Caesar’s  Palace  last  week,  where 
the  4,500  attendees  (a  12.5% 
increase  over  last  year)  heard 
about  the  security  problems  that 
will  plague  virtualized  environ¬ 
ments,  why  Cisco  routers  are 
more  of  a  hacker  target  than 
ever,  and  a  detailed  explanation 
of  DNS  attacks. 

Attendees  also  found  a  confer¬ 
ence  show  floor  that  was  domi¬ 
nated  by  vendor  booths.  The 
booths,  once  a  rarity  at  the  con¬ 
ference,  are  becoming  more 
prevalent  as  vendors  inject 
themselves  into  the  Black  Hat 
mix.  While  he  didn’t  apologize 
for  their  presence  —  and  noted 
that  vendor  sponsorships  are 
important  to  the  financial  suc- 
See  Black  Hat,  page  14 


Government  races  to  cut 
risk  of  'Net  access  points 


BY  CAROLYN  DUFFY  MARSAN 

The  federal  government  is  locking 
down  its  networks  through  an  ambitious 
and  fast-paced  effort  to  eliminate  con¬ 
nections  to  the  Internet  that  are  vulnera¬ 
ble  to  attack. 

In  the  past  nine  months,  the  feds  have 
reduced  the  number  of  external  network 
connections  they  operate  from  more  than 
8,000  to  about  2,700.  By  next  year,  they  plan 
to  have  fewer  than  100  connections,  many 
of  them  shared  by  multiple  agencies. 

It’s  an  approach  experts  say  large  pri¬ 
vate-sector  organizations  would  do  well 
to  emulate. 

The  federal  government’s  remaining 
Internet  access  points  will  have  state-of-the- 
art  security  policies  and  managed  security 
services,  including  antivirus,  firewall,  intru¬ 
sion  detection  and  traffic  monitoring. 

Bush  administration  officials  say  the 
consolidation  effort  will  help  agencies 
fend  off  a  barrage  of  viruses,  worms,  and 
denial-of-service  and  other  attacks,  while 
improving  their  ability  to  respond  when  a 
hacker  gets  through  a  network’s  multilay¬ 
ered  defenses. 

“It  will  reduce  our  risk,”  says  Karen 


SOURCE:  OFFICE  OF  MANAGEMENT  AND  BUDGET 


Evans,  administrator  for  E-Government 
and  IT  in  the  Office  of  Management  and 
Budget  (OMB). “We  will  have  better  situa¬ 
tional  awareness  for  what’s  happening  on 
our  networks  so  we  can  take  actions  that 
will  help  enhance  the  trust  of  the 
American  people  that  we  are  protecting 
their  information.” 

OMB  announced  the  Trusted  Internet 
Connections  (TIC)  initiative  last  Novem¬ 
ber.  It  joins  several  other  administration 

See  Government,  page  27 


Appliance  gets  a 
boost 

Enterprise  appliance 
now  offers  capacity 
for  10  million  docu¬ 
ments,  personalized 
alerts  and  results 
ranking.  Page  18. 
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Your  potential.  Our  passion  ® 

Microsoft * 


Change  the  insides,  not  the  outsides. 

Here's  the  reality — there's  a  whole 
new  way  to  move  to  VoIP.  And  you  don't 
need  a  whole  new  infrastructure  to  make 
it  happen.  That's  because  it  isn't  about 
ripping  and  replacing  or  big,  upfront 
costs.  You  see,  it  isn't  about  hardware. 

It's  actually  about  software. 

Now  you  can  keep  your  hardware — 
your  PBX,  your  gateways,  even  your 
phones.  Move  to  VoIP  with  software. 
Software  that  integrates  with  Active 
Directory^  Microsoft® Office,  Microsoft 
Exchange  Server,  and  your  PBX. 

Maximize  your  current  PBX 
investment  and  make  it  part  of  your 
new  software-based  VoIP  solution 
from  Microsoft.  It's  big  change, 
without  changing  it  all.  Learn  more 
at  microsoft.com/voip 


•'  v 


When  your  company  is  on  one  network ,  it  can  be  truly  flexible.  Expand,  move 

or  merge.  And  do  it  faster  on  a  single  IP  network.  Sprint  Converged  Solutions  lets  you  access  your 
voice,  video  and  data  instantly  on  one  network,  built  end-to-end  with  technologies  that  have  the 
Cisco  Quality  of  Service  certification.  So  you  have  the  flexibility  to  adapt  to  whatever  the  future  brings. 
Get  it  on  the  Now  Network.""  . 
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Data  Center  Infrastructure  and  Management 
Learn  more  at  IT  Roadmap:  Dallas,  Sept.  23 

Technologies  such  as  virtualization, 
blade  computing  and  next-generation 
switching  and  routing  compel  a  total 
rethink  across  the  enterprise.  Share  in 
the  rethinking  by  attend-  ^ 
ing  IT  Roadmap:  Dallas.  3 
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APPLICATION  SERVICES 

12  How  to  troubleshoot  sluggish  appli¬ 
cations. 

SERVICE  PROVIDERS 

26  Opinion  Scott  Bradner:  Unhappy 
the  FCC  supported  net  neutrality. 


8  Catch  up  on  the  latest  online  stories, 
blogs,  newsletters  and  videos. 
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BRIAN  STAUFFER 


Prosecution  progress 

The  U.S.  Department  of  Justice 
charged  11  people  in  connection  with  a 
massive  identity-theft  and  computer- 
fraud  scheme  involving  various 
retailers,  includingTJX,  BJ’s 
Wholesale  Club  and  OfficeMax. The 
group  charged  was  involved  in  the 
theft  of  more  than  40  million  credit  and 
debit  card  numbers.  Officials  say  it’s 
the  largest  identity-theft  case  ever 
prosecuted  by  the  Justice  Department. 


Olympic  scams 

Scammers  have  swindled  hundreds  of 
people  out  of  thousands  of  dollars 
each  using  bogus  Olympic  ticket¬ 
selling  sites.  Users  were  duped  into 
handing  over  their  credit  card  num¬ 
bers  and  passport  information  as  they 
paid  for  nonexistent  tickets  to  events 
at  the  Beijing  Olympics,  according  to 
published  reports.The  sites  were  par¬ 
ticularly  convincing,  sporting  profes¬ 
sional  designs  and  using  Olympic 
logos  liberally. 


Wireless  abandon 
Sprint  Nextel  is 
still  hemorrhaging 
wireless  sub- 
scribers.The  com¬ 
pany  reported  losing 
901,000  in  the  second 
quarter,  with  the  vast 
majority  coming  from 
its  postpaid  wireless 
segment.  Sprint  has 
reported  subscriber 
losses  in  seven  of  the 
past  eight  quarters  —  a 
trend  that’s  taking  a  big 
bite  out  of  its  wireless  revenue. 


ENTERPRISE  COMPUTING 

10  IBM  exec  peers  into  future  Linux 
applications 

18  Google  upgrades  Search  Appliance. 


COOL 

TOOLS 

■  The  Das  Keyboard 
you  type  faster  and  with 
plenty  of  click. 

See  Cool  Tools,  page  24. 


26  Opinion  Johna  Till  Johnson:  FCC 

was  right  to  tell  Comcast:  Hands  off. 

TECH  UPDATE 

21  Practicing  safe  SOA. 

24  Mark  Gibbs:  What  readers  sync. 

24  Keith  Shaw:  Das  Keyboards  let  you 
type  faster. 
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16  Juniper  consolidates  man¬ 
agement  software. 

16  EMC  unveils  midrange  Clariion 
device. 


18  Merrill  Lynch  going  stateless. 

19  Opinion  Andreas  Antonopoulos: 

What  you  don’t  know  about  security  can 
hurt  you. 

20  Cisco  CSO  says  security  is  growing  up. 

35  Cloud  service  offers  network 
security. 

38  Opinion  BackSpin:  E-discovery: 
turning  you  into  an  actuary 

38  Opinion  ’Net  Buzz:  Circuit  City, 
‘Mad’  magazine  and  Streisand. 


GOODBADUGLY 


PEERSAY 


Security  is  like  “Soylent 
Green”:  It’s  people 

Re:  Good  vs.  bad  security-awareness  training 
(www.nwdocfinder.com/6 125): 

Technology  alone  is  not  the  answer,  as  what 
technology  can  contend  with  people  sharing 
their  passwords,  or  propping  open  fire  exits  so 
they  can  have  a  cigarette  without  going 
through  access  control?  It  seems  that  many 
security  directors  just  want  a  “tick  in  the  box” 
and  invest  in  training  products  that  employees 
go  through  once  a  year.  In  my  experience, 
technology,  training  and  ongoing  security 
awareness  is  the  way  to  keep  security  in  every¬ 
one’s  minds.  Regular  reminders  that  are  en¬ 
gaging,  presented  in  a  variety  of  mediums  and 
which  clearly  answer  the  “why  should  I  do 
this?”  question  are  key 

Bernadette  Palmer 

Discuss  at  www.nwdocfinder.com/6125 

Anything  can  fail  with  poor 
implementation 

Re:  Microsoft  wants  to  steal  five  million 
Notes  customers  (www.nwdocfinder.com 
/6126): 

The  success  of  a  Microsoft  Office  SharePoint 
Server  2007  environment  depends  on  how  it  is 
envisioned,  configured  and  implemented.  If 
your  environment  is  unsuccessful,  has  your 
organization  considered  getting  an  experi¬ 
enced  MOSS  consultant  involved? 

I’ve  participated  in  hundreds  of  SharePoint 
projects  and,  like  other  software  environ¬ 
ments,  seen  great  successes  and  dismal  fail¬ 
ures.  However,  envisioned,  configured  and 
implemented  correctly  SharePoint  has  more 
productivity  potential,  and  immediate  impact, 
than  any  tool  I’ve  seen  in  my  32  years  of  IT 
experience. 

Marie  Gray 

Discuss  at  www.nwdocfinder.com/6127 

Another  command-line 
interface  fan 

Re:  Cisco  PIX  is  dead  (www.nwdocfind 
er.com/6128): 

1  can’t  stand  that  response  “move  on  from 
CLI.”  Wait,  oh,  that’s  right,  because  we  need 
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more  point-and-click  admins  in  this  world. 
They  haven’t  created  enough  garbage  on  the 
Internet  and  at  companies. 

CLI  requires  more  knowledge,  but  it  also 
requires  more  knowledge,  which  requires 
more  knowledge.  Any  dip  can  click  a  radio 
button  and  type  an  IP  address;  it  takes  a  tech¬ 
nologist  to  understand  what  it  all  does  and 
how  it  works. 

Cisco  really  needs  to  move  on  from  CLI,  I 
agree.  Their  router  line  is  not  selling,  their 
switches  aren’t  installed  everywhere,  the 
PIX/ ASA  isn’t  very  successful. 

Wait  a  second,  just  woke  up  from  a  night¬ 
mare.  Cisco  owns  these  spaces  because  of  the 
admins  and  engineers  who  understand  tech¬ 
nology  and  thrive  on  CLI  because  of  the 
knowledge  required. 

Go  home  and  write  about  the  demise  of 
Windows  XP  or  something  with  a  GUI. 

Jeffrey  Lefkowitz 

Discuss  at  www.nwdocfinder.com/6128 


BGP  everywhere 

Re:  Making  BGP  our  core  enterprise  routing 
protocol  (www.nwdocfinder.com/6129): 

I  am  seeing  more  of  our  customers  adopt 
the  [Border  Gateway  Protocol] -everywhere 
design.  Only  a  single  protocol  spanning  the 
whole  enterprise  network  can  assure  a  stable, 
loop-free  topology 

An  alternative  approach  that  has  some  mer¬ 
its  would  be  the  use  of  eBGP  on  all  paths 
instead  of  using  iBGP  for  LAN  segments. 

In  some  cases,  the  differing  default  adminis¬ 
trative-distance  values  applied  to  eBGP  and 
iBGP  routes  in  a  [customer  edge]  router  can 
lead  to  incorrect  forwarding  behavior  (such  as 
preferring  a  WAN  eBGP  path  over  a  more  direct 
LAN  iBGP  path). Additional  complexity  may  be 
needed  in  the  CE  router  configuration  to  over¬ 
come  this.  Using  eBGP  everywhere  eliminates 
the  administrative-distance  issue  and  makes 
BGP  more  “[Interior  Gateway  Protocol]-like”in 
behavior  and  configuration.  All  routers  behave 
the  same  way  No  added  complexity  is  needed 
at  the  eBGP/iBGP  boundary 

The  downside  is  the  need  to  apply  a  unique 
number  in  every  router.  And  such  a  renegade 
private  network  would  obviously  not  support 
a  contiguous  BGP  connection  to  the  public 
Internet  (but  that  is  easy  to  work  around,  such 
as  using  a  short  IGP  hop).  And  the  service 
provider  should  disable  AS  override. 

Remember  that  a  private  network  is  not  the 
Internet,  and  assumed  conventional  wisdom 
for  BGP  may  not  apply  I  believe  using  eBGP 
everywhere  in  a  private  network  is  viable. 

Toby  Jessup 
SWAT  Engineer 
Qwest  Communications 
Discuss  at  www.nwdocfinder.com/6129 

E-mail  letters  to  jdix@nww.com  or  send  them 
to  John  Dix,  editor  in  chief,  Network  World,  492 
Old  Connecticut  Path,  Framingham,  MA  01 701- 
9002.  Please  include  phone  number  and  e-mail 
address  for  verification. 
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RNATIVE  THINKING  ABOUT  SERVER  MANAGEMENT: 


servers 


The  HP  ProLiant  DL385  G5  Server,  featuring  efficient  Quad-Core  AMD  Opteron™  processors,  lets  you  manage  it  from  your  office  in 
San  Diego  while  it  sits  in  Boston.  Remote  Management  (iL02)  lets  you  control,  reboot  and  troubleshoot  from  practically  anywhere, 
even  when  the  server  is  off. 


Technology  for  better  business  outcomes. 


Prices : 


10,000,000  IT.  folks  can  t  be  wrong. 

To  learn  more,  call  1-888-226-6653  or  visit  hp.com/go/dependablel7 


:  may  vary.  Prices  shown  are  subject  to  change  and  do  not  include  applicable  state  and  local  taxes  or  shipping  to  recipient’s  address, 
r  or  discount  and  are  good  while  supplies  last.  All  featured  offers  available  in  U.S.  only.  Savings  based  on  HP  published  list  prices  of  ccnfigure-to-order 
D  instant  savings  =  SmartBuy  price  of  $2,275).  1 .  Financing  available  through  Hewlett-Packard  Financial  Services  Company  (HPFS)  to  qualified  commercial  customers  in 
:  approval  and  execution  of  standard  HPFS  documentation.  Prices  shown  are  based  on  a  lease  of  48  months  in  terms  with  a  fair  market  value  purchase  option  at  the 
he  term.  Rates  based  on  an  original  transaction  size  between  $3,000  and  $25,000.  Other  rates  apply  for  other  terms  and  transaction  sizes.  Financing  available  on  transactions  greater  than 
$349  through  September  30, 2008.  HPFS  reserves  the  right  to  change  or  cancel  these  programs  at  any  time  without  notice.  AMD,  the  AMD  Arrow  logo,  AMD  Opteron,  and  combinations  thereof  are 
trademarks  of  Advanced  Micro  Devices,  Inc.  (c)  2008  Hewlett-Packard  Development  Company,  L.P.  The  information  contained  herein  is  subject  to  change  without  notice 


lease  for  as  low  as  $54/mo'  for  48  months 
Smart  (PN:  4642 It -005) 

•  2  Quad-Core  AMD  Opteron™  processors 

•  Supports  small  form  factor,  high-performance 
SAS  or  low-cost  SATA  hard  drives 

•  Redundant  Power 

•  Integrated  lights-Out  (H02),  Systems 
Insight  Manager,  SmartStart 


Get  Mara: 

Smart  24x7,  4  hour  response,  3  years 
(PN:  UE894E)  $689 

Smart  Add  2  GB  additional  memory 
(PN:  408851-S21)  $159 


Lease  for  as  low  as  $39/mo'  for  48  months 
Smart  (PN:  AG739A) 

•  400  GB  compressed  capacity  in  half-height 
form  factor 


•  Ships  with  Data  Protector  Express  Software, 
One  Button  Disaster  Recovery,  o  1U 
Rackmount  Kit,  and  a  Host  Bus  Adapter 


AMD 

Opteron 
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Sonos  upgrades  multi- 
room  audio  gear 

High-end  multi-room 
audio  maker  Sonos 
launches  the  second 
generation  of  its  wire¬ 
less,  mesh-based  audio 
system,  which  lets  users 
listen  to  music  around 
the  house. 


Electric  car,  batter¬ 
ies  included 

Taking  a  test  drive  of 
Nissan’s  prototype 
electric  car,  powered  by 
a  new  lithium  ion  bat¬ 
tery  developed  by 
Nissan  and  manufac¬ 
tured  by  a  joint  venture 
with  NEC. 


Google,  Microsoft 
square  off 

At  the  recent  Campus 
Technology  conference 
in  Boston,  Google  and 
Microsoft  went  head-to- 
head  with  their  products 
for  education. 

www.nwdocfinder.com/61 40 
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Net  skills  gap  creates  opportunity 


II )[  SPHERE 


■  If  there  is  a  worker  shortage . . .  Randy 
Muller  asks  in  All  About  Microsoft  Certi¬ 
fications  if  we're  really  short  of  IT  workers  — 
and  if  there  is  a  shortage,  is  the  answer  really 
to  let  more  foreign  workers  into  the  country  or 
to  train  more  homegrown  talent:  "If  compa¬ 
nies  train  their  own  employees,  or  develop  a 
training  program  for  new  employees,  they 
would  potentially  have  a  more-loyal  work¬ 
force,  but  at  least  they  would  have  a  higher- 
skilled  employee  base.  How  would  this  help 
overall?  By  training  your  own  employees,  they 
would  potentially  earn  a  higher  wage,  which 
would  in  turn  assist  the  economy." 
www.nwdocfinder.com/6134 

■  Lessons  from  the  TJX  hacking  case. 

Richard  Stiennon  writes  in  Stiennon  on 
Security  that  he  was  surprised  to  learn  the 
feds  believe  it  was  just  one  small  group  of 
hackers  who  allegedly  stole  those  41  million 
credit-card  records,  but  says  there  are  some 
good  lessons  in  the  case  —  such  as  talking 
to  your  peers  and  listening  to  those  security 
advisors  who  tell  you  to  tighten  up  your  net¬ 
work:  “Ultimately,  the  only  way  to  impact  the 
rise  of  cybercrime  is  to  catch  the  criminals 
and  punish  them.  Just  don't  let  this  astound¬ 
ing  coup  on  the  part  of  the  Secret  Service  be 
an  excuse  for  more  delays  in  securing  your 
network.” 

www.nwdocfinder.com/6135 

■  Trickery  and  deceit  no  way  to  sell  an 

OS.  Ron  Barrett  thinks  Vista  is  a  great  oper¬ 
ating  system.  But  in  A  Better  Windows 
World,  he  expresses  his  disdain  for  Micro¬ 
soft's  Mojave  experiment  (secretly  replacing 
XP  users’  operating  system  with  Folger's 
Crystals  —  urn,  Vista):  “We  need  to  get 
users  to  embrace  Vista  and  let  go  of 
Windows  XP.  We  also  want  them  to  make 
that  change  before  2010  (when  Windows  7  is 
scheduled  to  arrive). Trickery  and  deception 
are  not  good  marketing  practices.  Look,  I 
know  that  Vista  is  being  unfairly  slammed  in 
all  sectors,  and  I  stand  by  Microsoft  wanting 
to  stand  up  and  defend  it;  this  was  just  the 
wrong  way  to  do  that." 
www.nwdocfinder.com/6136 

■  Keeping  SIP  whole.  Matthew  Nickasch 
says  true  Session  Initiation  Protocol  stan¬ 
dardization  is  critical  for  the  future  of  VoIP, 
in  Considering  Convergence,  he  writes: 
“There  are  simply  too  many  systems  and 
environments  that  are  utilizing  proprietary 
or  ‘modified’  protocols  for  signaling.  So, 
development  in  this  area  has  been  vendor¬ 
centric  and  closed,  and  not  towards  a  com¬ 
mon  and  unified  technology.” 
www.nwdocfinder.com/6137 


IT  careers:  IDC  is  reporting  that  a  huge  net¬ 
working  skills  gap  is  proving  troublesome  to 
enterprises  —  but  presents  a  big  opportunity 
for  IT  professionals.  Six  hundred  thousand  IT 
workers  were  needed  to  install,  configure, 
manage  and  secure  networks  in  North 
America  in  2007, 14%  of  the  total  IT  work- 
force.Yet  another  180,000  IT  pros  with  net¬ 
working  skills  will  have  to  be  added  by  201 1 
to  keep  up  with  several  changes  that  are 
transforming  the  role  of  the  network,  IDC 
reports  in  research  sponsored  by  the  Cisco 
Learning  Institute. The  network  is  becoming 
more  critical  to  allowing  innovation  and 
enabling  business  to  be  conducted  across 
great  distances.  Increased  focus  on  security; 
regulatory  requirements;  and  the  growing 
complexity  of  networks  with  converged 
voice,  data  and  video  traffic  are  factors  dri¬ 
ving  up  demand  for  networking  profession¬ 
als,  IDC  says. 

www.nwdocfinder.com/6131 

Network/systems  management:  Poor 
application  performance  causes  more  than 
headaches  for  users  trying  to  access 
resources  and  network  managers  hoping  to 
keep  workers  productive.  It  impacts  a  busi¬ 
ness’s  bottom  line  and  equals  lost  revenue  to 
many  organizations,  a  recent  Aberdeen 
Research  study  shows.  Aberdeen  Research, 


which  was  commissioned  by  Aternity,  polled 
more  than  200  organizations  between  May 
and  June  2008  to  learn  more  about  how 
application  performance  is  managed  and 
what  happens  when  applications  don’t  per¬ 
form  as  expected  by  the  business.  Nearly  60% 
of  the  organizations  polled  reported  they 
were  not  satisfied  with  the  performance  of 
business-critical  applications,  and  survey 
respondents  said  issues  with  application  per¬ 
formance  are  affecting  corporate  revenue  by 
as  much  as  9%. 

www.nwdocfinder.com/6132 

Tech  exec:  In  this  day  and  age  of  escalating 
complexity  of  IT  solutions  and  skyrocketing 
tech  support  costs,  it’s  unusual  to  find  a  ven¬ 
dor  that  truly  caters  to  the  needs  of  small  and 
midsize  companies.  But  George  Krupica, 
Director  of  Information  Technology  for  Main 
Street  Bank  of  Wheeling,  WVa.,  has  met  the  IT 
vendor  of  his  dreams.  Krupica  readily  sings 
the  praises  of  TriGeo  Network  Security  maker 
of  a  security  information  and  event  manage¬ 
ment  appliance  that  is  specifically  designed 
for  smaller  organizations  that  don’t  have  a  24- 
hours-a-day  operations  center  or  a  large  IT 
staff.  Main  Street  Bank,  with  its  three  branches 
and  small  IT  department,  fits  the  TriGeo  cus¬ 
tomer  profile  perfectly 
www.nwdocfinder.com/6133 
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Microsoft’s  Patch  Tuesday: 

7  critical  patches  promised 

August  will  be  a  big  month  for  Microsoft  security  patches: The  company 
said  it  plans  to  release  12  updates,  seven  of  them  critical,  on  this  week’s 
Patch  Tuesday  The  critical  patches  affect  Windows,  Internet  Explorer, 
Access, Windows  Media  Player  and  Microsoft  Office.  Updates  for  Office,  which 
has  kept  Microsoft  busy  with  security  updates  lately,  include  individual  patch¬ 
es  for  PowerPoint  and  Excel.  Microsoft  also  will  release  five  patches  rated 
important,  four  of  which  affect  Windows  and  one  of  which  affects  Office. 
Older  versions  of  Windows  including  Windows  2000,  Windows  XP  and 
Windows  Server  2003  are  mainly  affected  by  the  critical  patches.  The  latest 
version  of  the  Windows  client  OS,  Windows  Vista,  will  get  two  important  patch¬ 
es.  www.nwdocfinder.com/6141 


Linux  patent  pool  to  push  for  ‘defensive 
publication.’  A  tech  vendor-backed  compa¬ 
ny  that  buys  up  patents  in  an  effort  to  protect 
the  Linux  community  from  intellectual-prop¬ 
erty  litigation  will  soon  launch  a  Web  site  to 
help  inventors  file  defensive  publications  — 
documents  that  make  details  of  an  invention 
public,  preventing  others  from  later  making 
patent  claims  on  it.The  effort  will  serve  as  a 
counterpart  to  the  Open  Invention  Network’s 
strategy  of  providing  its  patents  royalty-free  to 
companies  in  exchange  for  a  commitment 
that  they  won’t  assert  their  patents  against  the 
Linux  system.“The  more  we  can  mobilize  this 
community  the  fewer  patents  that  will  actually 
be  granted ’’said  Keith  Bergelt,who  recently 
became  OIN’s  CEO. “Whatever  happens  in  the 
patent-reform  world  in  the  next  [U.S.]  admin¬ 
istration  is  great,  but  we  have  to  act  now  to 
stop  the  granting  of  patents  that  threaten 
Linux  and  open  source  in  general.” 
www.nwdocfinder.com/6142 

Dell  goes  carbon-neutral.  Dell  says  it 
has  met  its  goal  of  becoming  “carbon  neu¬ 
tral”  through  a  series  of  initiatives  to 
reduce  its  own  energy  consumption  and 
offset  carbon  emissions  around  the  world. 
Dell  was  the  first  major  computer-maker  to 
announce  such  a  plan  last  September, 
when  it  said  it  would  make  all  company- 
owned  and  -leased  facilities  carbon-neutral 
by  the  end  of  2008.  Carbon  neutrality 
involves  offsetting  carbon  emissions  with 
projects  that  limit  or  sequester  emissions, 
such  as  planting  trees  or  purchasing  car¬ 
bon  offsets. To  meet  its  goal,  Dell  entered  a 
partnership  with  Conservation 
International  to  protect  more  than  591,000 
acres  of  tropical  forestland  in  Madagascar 
that  otherwise  might  have  been  destroyed, 
preventing  a  half-million  tons  of  carbon 
emissions  over  the  next  five  years.  Dell’s 
carbon-neutral  project  also  includes  pur¬ 
chases  of  renewable  energy  certificates 


and  new  investments  in  wind  power  in  the 
United  States,  China  and  India. 

www.nwdocfinder.com/6143 

Google  Earth  used  to  predict  grid  prob¬ 
lems.  Researchers  at  Oak  Ridge  National 
Labs  tapped  Google 
Earth  to  build  a  tool 
that  displays  the  real¬ 
time  status  of  the 
national  electric  grid 
so  that  federal, state 
and  local  agencies 
can  respond  to  such 
major  problems  as 
wide-area  power  out¬ 
ages  and  natural  dis- 
asters.The  Visualizing  Energy  Resources 
Dynamically  on  Earth  (VERDE)  system  com¬ 
bines  images  and  stats  about  everything  from 
the  real-time  status  of  the  electric  grid  and 
weather  information  to  power-grid  behavior¬ 
modeling  and  simulation.  It  can  predict  the 
transmission  lines  particularly  at  risk  of  storm 
damage,  as  well  as  the  population  in  specific 
areas  likely  to  lose  power  as  a  result  of 
destructive  winds  from  storms,  for  example. 
www.nwdocfinder.com/6144 

Facebook  stamps  out  malware  attack. 

Facebook  last  week  blocked  links  between  its 
social-networking  site  and  malware-infested 
Web  sites  to  which  hackers  have  been  trying 
to  lure  Facebook  members.  Security  company 
Sophos  warned  Thursday  about  the  attack,  in 
which  hackers  were  targeting  Facebook  users 
via  postings  on  the  site’s  Wall  feature. 
Impersonating  members’  friends,  hackers  post¬ 
ed  messages  urging  users  to  click  on  a  link  to 
view  a  video. The  link  took  users  to  a  rogue 
Web  page  where  they  were  told  to  download 
a  new  version  of  Adobe’s  Flash  player.  If  users 
authorized  the  download,  the  site  would 
install  Troj/Dloadr-BPL,  that  tunneled  other 
malicious  code  detected  as  Troj/Agent-HJX 


into  their  PCs.  Sophos  warned  business  and 
IT  managers  that  malware  attacks  via  social 
networks  are  on  the  rise  and  companies  need 
to  establish  policies  for  employees’  use  of 
these  sites  from  the  office. 
www.nwdocfinder.com/6145 

Energy  efficiency  not  a  big  factor  in  IT 
purchasing  decisions.  Just  34%  of  IT  exec¬ 
utives  say  energy  efficiency  is  a  very  impor¬ 
tant  factor  when  considering  equipment  pur¬ 
chases^  new  survey  by  IT  products  and  ser¬ 
vices  vendor  CDW  has  found.  IT  managers 
routinely  say  they  care  about  energy  efficien¬ 
cy  and  94%  told  CDW  that  they  take  some 
measures  to  manage  energy  consumption 
and  the  cost  of  equipment.  But  with  one-third 
of  executives  calling  energy  efficiency  a  key 
buying  factor,  it’s  clear  that  concerns  about 
efficiency  are  not  heavily  influencing  purchas¬ 
ing  decisions,  CDW  concludes.  Among  those 
organizations  with  formal  energy-reduction 
plans,  nearly  one  out  of  10  were  able  to 
reduce  costs  by  21%  to  40%,  and  one  out  of 
50  of  these  organization  were  able  to  reduce 
IT  energy  costs  by  41%  or  more. 
www.nwdocfinder.com/6149 

WiMAX  not  ready  for  prime  time. While 
WiMAX  has  the  potential  to  deliver  mobile 
broadband  services  to  U.S.  companies,  its  suc¬ 
cess  will  depend  largely  on  how  well  and 
quickly  the  Sprint-Clearwire  coalition  builds 
out  its  nationwide  network,  says  Forrester 
Research.  In  order  for  WiMAX  to  be  success¬ 
ful,  Clearwire  will  have  to  meet  “a  number  of 
very  important  milestones”  including  service 
deployment  and  the  availability  of  multimode 
devices  that  have  separate  channels  for  voice 
and  data,  the  research  firm  says. WiMAX  today 
is  not  deployed  widely  enough  for  enterprise 
companies  to  use  it  as  their  primary  mode  of 
WAN  access,  and  should  be  viewed  as  a  back¬ 
up  option  for  such  WAN  technologies  as 
MPLS.  Forrester  also  sees  WiMAX  as  less  a  “Wi¬ 
Fi  killer”  and  more  an  extension  to  current  Wi¬ 
Fi-based  wireless  LANs  that  could  fill  in  cover¬ 
age  gaps,  www.nwdocfinder.com/6147 

Rebates  for  using  energy-efficient 
storage  on  the  way. 

Start-up  Wikibon  is  behind  a  new  service 
called  the  Wikibon  Energy  Labs  that  lets  stor¬ 
age  vendors  verify  the  energy  savings  of  cer¬ 
tain  products,  making  them  eligible  for  utility 
rebates.  EMC,  3Par,  Compellent,  DataDirect 
Networks,  Hitachi,  Nexsan  and  Xiotech  are 
getting  products  certified  for  energy  rebates 
available  through  the  Pacific  Gas  &  Electric 
Co.,  which  provides  natural  gas  and  electric 
service  in  California.  PG&E  is  the  first  utility 
that’s  part  of  the  storage  rebate  effort,  but 
Wikibon  is  in  talks  with  other  utilities  in  Texas, 
New  Jersey,  New  York,  Vancouver  and  other 
areas  to  expand  availability. 
www.nwdocfinder.com/6148 
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IBM  exec  peers  into  future 
Linux  applications 


The  next  10  years  will  be 
‘do  or  die,’  exec  says 

BY  JOHN  FONTANA  AND  STEPHEN 
LAWSON 

SAN  FRANCISCO  —  Open  source  software 
may  not  make  major  inroads  into  industry-spe¬ 
cific  enterprise  applications,  according  to  an 
IBM  open  source  guru.  The  next  10  years  will 
be  “do  or  die”  for  this  type  of  application,  said 
Bob  Sutor,  vice  president  of  open  source  and 
standards  at  IBM,  in  a  LinuxWorld  keynote  last 
week  “I’m  getting  tired  of  waiting,”  he  said. 
“Either  it’s  going  to  happen  or  it’s  not  going  to 
happen.” 

Many  companies  use  general-purpose 
applications,  such  as  Mozilla  Firefox,  but 
few  have  industry-specific  Linux  applica¬ 
tions,  Sutor  said. The  public  sector,  especial¬ 
ly  education,  offers  glimmers  of  hope  with 
such  software  as  the  Sakai  collaboration 
and  learning  environment,  he  noted.  For 
other  industries,  open  source  may  take  a 
long  time  to  gain  traction  or  may  never  gain 
it,  he  said. “You  may  believe  that  there  will 
come  a  day  where  all  software  is  free  soft¬ 
ware,  or  open-source  software  . . .  [but]  it’s 
not  tomorrow,  and  it’s  probably  not  next 
year,  and  it’s  probably  not  10  years  from 
now,”  he  added. 

One  thing  that  has  kept  some  companies 
from  embracing  open  source  software  is  the 
proliferation  of  different  licenses,  Sutor  said. 
“When  customers  say  ‘I’m  ready  to  use  open 
source,’  [they]  don’t  want  to  see  the  license  du 
jour’’ he  said. They  won’t  tolerate  a  lot  of  ongo¬ 
ing  change  in  the  legal  aspects  of  using  a  piece 
of  software,  he  added 

Fortunately  out  of  approximately  60  open 
source  licenses  approved  by  the  Open  Source 
Initiatives  handful  are  used  for  roughly  90%  of 
open-source  projects,  Sutor  said.  Among  them 
are  Apache,  Eclipse,  Mozilla  and  versions  of  the 
General  Public  License  and  Lesser  GPL.  Over 
the  next  10  years,  these  will  be  refined,  and 
there  will  be  less  pressure  to  craft  different 
types  of  licenses,  he  believes. 

Meanwhile,  Linux  will  be  used  in  a  wide  vari¬ 
ety  of  devices  and  various  Internet-based  ser¬ 
vices,  such  as  cloud  computing  and  software- 
as-a-service,  and  judged  less  as  an  operating 
system  on  desktops  or  even  the  x86  hardware 
platform, Sutor  predicted. 

That  was  one  of  a  series  of  10-year  predic¬ 
tions  he  made  to  mark  the  10th  anniversary  of 
IBM  embracing  Linux.  Other  predictions: 

“Green”  will  drive  significant  initiatives  in 
open  source. 

The  drive  to  green  computing  will  spawn  sig¬ 
nificant  application  innovations, and  Linux  will 
help  reduce  energy  consumption  via  server 


consolidation,  virtualization,  load-balancing 
and  more-efficient  resources  management. 

Linux  will  not  be  replaced. 

A  new  open  source  operating  system  will  not 
come  along  and  unseat  Linux,  because  the 
current  operating  system  will  continue  to 
evolve  to  solve  new  problems. 

Linux  mind  share  will  be  less  x86  focused. 

Linux  already  runs  on  many  processors,  and 
that  won’t  change.  Linux  will  find  significant 
new  opportunity  in  software-as-a-service  and 
cloud  computing. 

The  idea  of  Linux  on  the  desktop  will  be  sig¬ 
nificantly  different. 

The  very  definition  of  desktop  will  change, 
and  become  more  focused  on  clients  that  sit 
anywhere  from  a  cubicle  to  the  bottom  of  a 
pants  pocket.  Client  focus  will  be  on  collabo¬ 
ration  via  open  standards,  cloud  computing, 
enterprise  appliances,  Web  2.0  and  rich-client 
platforms.  If  Linux  wants  a  stake  on  the  tradi¬ 
tional  desktop,  it  needs  to  mimic  the  Apple 
Mac  in  usability  and  design. 

SMB  is  too  close  to  call. 

Smaller  companies  will  focus  on  “buying 
solutions”  rather  than  hardware,  operating  sys¬ 
tems  and  applications;  and  that  could  be  a 
boon  for  Linux.  The  wild  card  is  the  split 
between  embracing  open  platforms,  desktops 
and  clients,  and  moving  pieces  to  the  cloud. 

It  will  be  relatively  quiet  on  the  free  and 
open  source  license  front. 

Licensing  will  coalesce  around  the  same  set 
of  licenses  in  use  today  but  more  open  source 
software  will  include  a  combination  of  licens¬ 
es,  which  will  increase  the  legal  complexity  of 
open  source. 

Open  standards  will  grab  more  attention. 

The  number  of  prominent  standards  organi¬ 
zations  will  decrease,  given  poor  processes 
and  technology  back-room  dealings,  and  out¬ 
dated  intellectual  property  policies.  The 
evolved  model  will  be  closer  to  today’s 
Creative  Commons,  and  will  govern  how 
groups  choose  open-standards  intellectual- 
property  license  agreements  or  patent- 
nonassertion  promises. 

It  will  be  a  “do  or  die”  decade  for  open 
source  industry  applications. 

Vertical  industries  will  start  to  move  indus¬ 
try-specific  applications  toward  open  source 
in  a  significant  way  or  they  will  stay  put  on  pro¬ 
prietary  systems  for  the  long  term.  There  will 
be  no  middle  ground,  although  more  propri¬ 
etary-application  vendors  will  offer  a  Linux- 
based  version.  ■ 

LINUX  &  OPEN  SOURCE 
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Cisco  posts  solid  quarter  in 
challenging  economy 

Cisco  recorded  fourth-quarter  net  sales 
of  $10.4  billion,  beating  Wall  Street  esti¬ 
mates  by  $100  million  and  growing  10% 
from  the  fourth  quarter  of  fiscal  2007.  Net 
income,  excluding  expenses,  charges  and 
other  items,  was  $2.4  billion  or  40  cents 
per  share,  a  penny  better  than  analyst 
estimates  and  an  increase  of  11%.  In  the 
first  $10  billion  quarter  in  Cisco’s  history, 
orders  for  routers  were  up  14%,  for 
switching,  up  7%  and  for  advanced  tech¬ 
nologies,  up  21%.  CEO  John  Chambers, 
however,  reiterated  the  caution  he 
expressed  earlier  in  the  quarter  on  the 
macroeconomic  environment  and  its 
effect  on  IT  spending.  He  says  these  chal¬ 
lenges  will  remain  over  the  “next  few 
quarters.” 

Verizon  unveils  integrated 
emergency-response  system 

Verizon  Business  is  offering  an  IP-based 
platform  designed  to  integrate  emergency- 
response  radio  systems,  along  with  voice 
and  data  services,  into  a  common  network. 
The  system  converts  all  designated  radio 
signals  within  the  emergency  response  sys¬ 
tem  to  IP  so  police,  firefighters  and  emer- 
gency-medical-service  providers  can  com¬ 
municate  even  though  they  use  different 
radio  frequencies.  Verizon  says  the  platform 
also  can  link  the  IP-based  radio  communica¬ 
tions  with  wireline  and  wireless  voice  calls, 
as  well  as  with  e-mail  and  text  messages. 
The  service  also  will  be  able  to  use  a  pre¬ 
programmed  list  of  phone  numbers  and 
radio  frequencies  to  alert  government  offi¬ 
cials  of  a  crisis  automatically. 

Oracle  to  package  apps  on  vir¬ 
tual  machines 

Oracle  unveiled  a  set  of  “templates"  that 
are  fully  configured  systems  distributed  as 
virtual  machines  that  can  be  used  fortest¬ 
ing  or  deployment.The  company  is  initially 
releasing  four  Oracle  VM  Templates,  which 
can  be  downloaded  for  free  and  used  for 
testing  only.The  templates  are  for  Oracle 
Database  1 1  g,  Oracle  Enterprise  Manager, 
Oracle’s  Siebel  CRM  8  and  Oracle  Enter¬ 
prise  Linux.The  model  of  distributing  pre¬ 
configured  and  pretested  applications  on 
virtual  machines  is  not  a  new  one,  but  it 
offers  a  convenience  for  corporate  users. 
Oracle  plans  to  offer  an  software  develop¬ 
er’s  kit  so  partners  can  create  templates  for 
their  own  applications. 


10  •AUGUST  11,2008  •www.networkworld.com 


veriTOnwireless 


Don't  Push  Your  Luck 
With  Your  Push  To  Talk. 

MAKE  THE  SWITCH  TO  VERIZON  WIRELESS. 

Make  your  business  instantly  more  productive  by  upgrading  to  the  only  Push  to  Talk  service 
that  comes  with  the  Verizon  Wireless  Network  and  its  reliable  voice  service,  coast-to-coast 
coverage  and  24/7  customer  service.  Verizon  Wireless.  The  smart  choice  for  Push  to  Talk. 


motorola 

adventure'v7so 


G'zOne  Boulder™ 


Let  Verizon  Wireless  be  your  "go-to"guy  for  Push  to  Talk  you  can  count  on. 


Call  1 .800.VZW.4BIZ  Click  verizonwireless.com/pushtotalk  Visit  a  Verizon  Wireless  store 

Push  to  Talk  is  available  only  with  other  VZW  Push  to  Talk  subscribers;  coverage  not  available  everywhere.  Network  details  &  coverage  maps  at  vzw.com.  ©  2008  Verizon  Wireless. 


NEWS  ANALYSIS 


How  to  troubleshoot  sluggish  apps 

IT  managers,  industry  watchers  reveal  how  to  prevent  poor  app  performance 


■Hfi 


When  applications  go  awry 


Aberdeen  Group  surveyed  206  organizations  to  learn  the  ways  poor  appli¬ 
cation  performance  can  affect  a  business: 

•  Decline  in  employee  satisfaction:  58% 

•  Loss  of  revenue  opportunities:  50% 

•  Decrease  in  responsiveness  to  needs  of  external  customers:  47% 

•  Damage  to  brand  reputation:  32% 

•  Decrease  in  effectiveness  of  IT  staff:  31% 
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BY  DENISE  DUBIE 

There’s  more  at  stake  than  lost  productivity 
when  application  response  times  slow  to  a 
standstill.  Company  revenue  also  takes  a  hit. 

Aberdeen  Group  recently  surveyed  200  orga¬ 
nizations  and  found  that  issues  with  applica¬ 
tion  performance  affect  overall  corporate  rev¬ 
enue  by  as  much  as  9%. 

“No  one  is  safe  today  from  the  negative 
impact  of  poor  application  performance, 
whether  you’re  a  gamer,  a  retail  outlet  or  a 
Salesforce.com  user;”  says  Jasmine  Noel,  prin¬ 
cipal  analyst  at  Ptak,  Noel  &  Associates.  “The 
question  is  how  much  money  do  you  have  to 
lose  if  the  application  starts  crawling  along  at 
traffic-jam  speeds?” 

On  the  one  hand,  multi-tiered  applications 
help  companies  do  better  business,  but  on  the 
other,  the  complexity  of  the  environment  in 
which  they  reside  challenges  network  man¬ 
agers  looking  to  prevent  problems  before  they 
reach  users  and  customers.  Adding  to  the 
problem  is  the  growing  adoption  of  such  tech¬ 
nologies  as  virtualization,  VoIP  and  service-ori¬ 
ented  architecture  —  which  require  sophisti¬ 
cated  environments  that  could  hinder  trou¬ 
bleshooting  efforts  when  problems  arise. 

“In  the  past,  we  were  managing  the  infra¬ 
structure,  which  really  doesn’t  get  into  how 
the  application  is  performing  for  the  end 
users,”  says  Jason  Norton,  director  of  opera¬ 
tions  and  telecommunications  at  media  and 
marketing  company  Scripps  Networks  in 
Knoxville,  Tenn.  “We  need  to  be  able  to  be 
aware  of  and  see  all  of  the  pieces  that  make 
up  an  application  and  how  they  affect  the 
end  user  to  understand  when  performance 
is  going  to  be  impacted,  he  says.” 

Here  we  analyze  three  scenarios  in  which 
application-performance  problems  could 
elude  network  managers. 

Gan  you  hear  me  now? 

Symptom:  VoIP  calls  begin  to  experience 
poor  quality  and  latency  some  even  dropping 
altogether. 

When  Koie  Smith,  IT  administrator  at 
Jackson, Tenn., law  firm  Rainey, Kizer,  Reviere  & 
Bell,  noticed  VoIP  calls  performing  inconsis¬ 
tently  across  the  network,  he  first  tried  to  trace 
the  problem  to  a  specific  port. 

“We  have  had  instances  in  which  a  perform¬ 
ance  problem  would  occur  because  some¬ 
thing  had  been  put  on  the  network,  such  as  a 
network-interface  card  or  a  port,  that  causes  a 
problem  with  an  application,  such  as  voice,” 
Smith  explains. 

But  the  performance  issues  with  the  appli¬ 
cation  couldn’t  be  traced  back  to  a  specific 
port.  Smith  began  looking  further  into  the  QoS 
settings  he  had  established  when  he  rolled  out 


voice  traffic  and  discovered  why  the  voice 
users  were  suffering:  Undefined  priority  tags 
on  voice  packets  across  multiple  switches 
meant  that  only  some  of  the  traffic  was  given 
priority  which  resulted  in  spotty  performance. 

The  solution?  Updating  the  QoS  tags  and 
specifically  defining  the  priority  tags  for  voice 
traffic  across  all  network  switches. 

“From  the  network  side  of  it,  it  is  critical  to 
define  tagging  and  assign  priorities  on  the 
switch  for  such  specific  traffic  as  voice  or 
video,”  Smith  says.  “A  lot  of  switches  will  iden¬ 
tify  and  acknowledge  that  QoS  tag,  but  if  you 
don’t  also  have  a  priority  tag  on  each  switch 
—  even  if  you  have  it  tagged  at  the  source  — 
the  switch  just  dumps  that  traffic  in  with  all 
general  traffic,  and  it  doesn’t  get  the  allocated 
bandwidth  it  needs  to  perform  well.” 

Application,  heal  thyself 

Symptom:  E-mail  grinds  to  a  halt  on  a  user 
workstation,  but  by  the  time  the  help  desk 
attempts  to  fix  the  problem,  it  seemingly  has 
resolved  itself.  A  few  weeks  later,  another  user 
reports  a  similar  concern. 

Tracking  down  the  source  of  transient  prob¬ 
lems  is  one  of  the  more  challenging  tasks  for 
network  managers,  Noel  says. 

For  one,  many  troubleshooting  techniques 
require  network  managers  to  capture  data 
about  what  was  happening  at  the  time  of  the 
problem.  In  addition,  most  minor  problems 
that  occur  intermittently  point  to  a  larger 
underlying  issue  that  IT  must  resolve  before 
the  application  stops  acting  spotty  and  fails 
altogether. 

“First,  you  have  to  notice  this  has  happened 
and  record  it,  so  that  when  it  happens  again, 
you  know  it  deserves  attention,”  Noel  says. 
“Then  you  have  to  catch  it  when  it  happens,  so 
you  can  dissect  it  and  prevent  it  from  happen¬ 
ing  again.” 

Baselining  typical  application  performance 
with  monitoring  and  measurement  tools  can 


help  network  managers  understand  how  an 
application  typically  behaves  and  set  thresh¬ 
olds  to  be  alerted  when  it  begins  to  stray  By 
using  probes  that  capture  traffic  and  packet 
data,  network  managers  can  go  back  and 
recreate  these  incidents  as  they  happen  and 
look  for  similar  traits  —  a  misconfigured  server 
or  a  poorly  designed  application,  for  example. 

“You  have  to  check  configuration  details, 
memory  and  utilization;  and  you  have  to  do  it 
for  all  of  those  mini-incidents  to  see  the  com¬ 
mon  thread  that  connects  the  instances  to  a 
larger  problem  in  the  environment,”  Noel  says. 

Scripps  Networks’  Norton  uses  NetQoS 
SuperAgent  technology  to  collect  conversa¬ 
tions  from  across  the  network  to  pinpoint  the 
cause  of  problems  that  crop  up  and  seeming¬ 
ly  disappear.  The  product  enables  him  to  do 
packet  capture  and  perform  SNMP  polls  to 
gather  data  about  transactions,  thresholds 
passed  and  application-response  times. 

“You  almost  have  to  have  the  problem  occur 
to  be  able  to  troubleshoot  it.  NetQoS  will  show 
us  different  pieces  across  the  network  [when] 
a  database  was  running  slow  or  server 
processes  took  a  particularly  long  time” 
Norton  explains.“It  helps  us  to  say  with  confi¬ 
dence,  At  this  point  in  time,  this  is  what  was 
happening.’ And  that  speeds  troubleshooting.” 

Location,  location,  location 

Symptom:  A  file-sharing  application  per¬ 
forms  well  for  some  users,  but  others  report 
problems  trying  to  access  and  work  with  the 
same  application. 

“We  have  had  problems  that  come  up  in  one 
location  that  don’t  happen  in  the  other  loca¬ 
tion,”  Norton  says.  “And  when  you  are  dealing 
with  the  same  application,  it  can  be  tough  to 
translate  why  an  application  would  be  slow  for 
one  group  and  not  the  other” 

The  source  could  be  misconfigured  devices, 
which  could  stall  application  traffic,  even 
See  Applications,  page  35 
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We  are  very  excited  to  be  joining  forces  with  Foundry  Networks  to  provide  you  and  the  industry  with  a  broad 
range  of  the  highest-performance,  most  reliable  networking  solutions,  from  the  Internet  to  the  data  center. 


As  an  important  part  of  this  recent  announcement,  we  want  to  assure  you  of  our  commitment  to  your 
infrastructure  investment  and  absolute  customer  satisfaction.  Upon  the  completion  of  the  acquisition,  we 
look  forward  to  continuing  to  provide  the  high  levels  of  innovation,  product  quality,  and  customer  service 
that  you  expect  and  rely  on. 

A  Commitment  to  Protecting  and  Extending  Your  Investment 

We  are  committed  to  continuing  to  deliver  and  invest  in  Foundry  products  and  solutions  following  the  closing 
of  the  acquisition.  As  part  of  this  ongoing  commitment,  we  will  provide  you  with  a  detailed  product  roadmap 
after  the  acquisition  closes.  You  can  also  count  on  the  combined  company  to  help  you  implement  and  support 
your  current  and  future  networking  projects,  allowing  you  to  maximize  the  value  of  your  Foundry  infrastructure. 


A  Commitment  to  Innovative  Engineering  and  Technical  Leadership 

Foundry  customers  know  that  better  engineering  equates  to  a  better  network.  We  are  committed  to  the 
retention  and  continued  development  of  the  Foundry  engineering  teams  that  have  consistently  delivered 
industry-leading  solutions,  from  the  enterprise  edge  to  the  service  provider  core.  We  believe  this  represents 
a  giant  leap  forward.  And  we  look  forward  to  continuing  to  create  solutions  that  enable  next-generation, 
high-performance,  end-to-end  networks  to  come  to  life. 

A  Commitment  to  Superior  Technical  Support  and  Customer  Satisfaction 

Brocade  and  Foundry  share  many  core  values,  and,  for  both  companies,  customer  satisfaction  is  our  top 
priority.  We  will  continue  to  focus  on  satisfying  the  technical  and  business  needs  that  are  mission-critical 
to  your  success,  including  a  promise  to  deliver  best-in-class  technical  support,  and  to  honor  all  existing 
contractual  service  and  support  commitments. 

Brocade  and  Foundry  will  continue  to  operate  as  independent  companies  until  after  the  transaction  closes. 
We  value  your  input  on  how  to  best  serve  your  needs  today  and  in  the  future.  Please  do  not  hesitate  to  work 
with  your  respective  Brocade  or  Foundry  sales  representative  regarding  any  questions  you  might  have  or 
any  additional  feedback  you  would  like  to  provide. 

I  hope  that  you  are  as  excited  about  the  future  as  we  are.  We  very  much  look  forward  to  being  your  high- 
performance  partner  for  your  important  networking  needs. 

Thank  you  and  best, 

AicLP 

Michael  Klayko 
Chief  Executive  Officer 
Brocade 


BROCADE 


If  you  would  like  more  information  about  the  acquisition,  please  see  Brocade  or  Foundry’s  website  at  www.brocade.com/convergednetworksor www.foundrynet.com/ 
convergednetworks,  or  the  respective  company’s  SEC  filings  at  www.sec.gov 
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Black  Hat 

continued  from  page  1 

cess  of  the  conference  —  Black  Hat  founder 
and  director  Jeff  Moss  did  distance  the  show’s 
content  from  the  sponsors.  Presenters  at  the 
show  briefings  present  vendor-neutral  material 
chosen  solely  for  its  value  to  the  security  com¬ 
munity  he  said  during  his  opening  remarks. 

Vendor  booths  aside,  the  audience  was 
tuned  to  far  more  weighty  topics,  such  as  the 
security  problems  that  ultimately  will  arise 
from  the  industry’s  headlong  push  into  virtu¬ 
alizing  everything. 

Virtualization  “will  not  save  you  money,  it 
will  cost  you  more,”  and  “virtualized  security 
can  seriously  impact  performance,  resil¬ 
ience  and  scalability”  said  Christopher  Hoff, 
chief  security  architect  at  Unisys,  in  an 
impassioned  presentation.  He  argued  that 
the  user  community  is  being  sweet-talked 
into  virtualization  by  an  industry  unmindful 
of  the  security  consequences. 

“Over  the  next  12  to  18  months,  there’s  a  very 
uncomfortable  set  of  circumstances,  as  every 
vendor  rushes  out  to  say  ‘we’ve  virtualized’” 
Hoff  said  in  his  talk, “The  Four  Horsemen  of  the 
Virtualization  Apocalypse.” 

Using  strong  language  directed  at  the  net¬ 
work  industry  Hoff  argued  that  “it’s  getting  real 
messy”  as  Cisco,  Brocade  Communications, 
SLeaf  Systems  and  Xsigo  Systems,  among  oth¬ 
ers,  gallop  off  toward  virtualizing  basic  switch¬ 
ing  infrastructures  without  a  clear  notion  of 
what  the  security  consequences  are  for  enter¬ 
prise  customers  accustomed  to  wholly  differ¬ 
ent  topologies  that  include  such  technologies 
as  the  Spanning  Tree  Protocol. 

‘A  virtual  switch  is  just  a  piece  of  code  like  a 
hypervisor,”  Hoff  said  about  the  industry’s  new 
direction. “It’s  basically  Layer  2  switching  mod¬ 
ules,”  adding  it  means  you’ve  collapsed  the  net¬ 
work  into  “a  single  tier”  and  “it  all  boils  down  to 
three  settings  in  a  GUI.” 

The  virtual  security  —  Hoff  called  it 
“VirtSec”  —  that’s  arising  in  the  wake  of 
anticipated  changes  is  ushering  in  virtual 
appliances  that  will  become  the  corner¬ 
stone  for  trying  to  replicate  traditional 
defenses,  such  as  intrusion-prevention  sys¬ 
tems  (IPS),  antivirus  and  firewalls,  he  said. 
But  as  security  functions  compete  for  vir¬ 
tual-machine  resources,  there  will  be  a 
performance  hit,  just  as  is  seen  in  unified- 
threat-management  devices  today  that 
combine  IPS,  firewall  and  other  functions, 
he  added. 

Capacity  planning  with  a  virtualized  network 
is  “going  to  be  very  difficult  to  predict,”  Hoff 
said,  adding  he  was  profoundly  skeptical  that 
trying  to  virtualize  a  firewall  is  going  to  work  as 
DMZs  are  pushed  into  going  virtual,  too. 

“If  I  decide  to  V-motion  a  firewall,  it  won’t 
work,”  Hoff  said,  alluding  to  his  own  research 
with  VMware  and  its  V-Motion  capability  to 
rapidly  deploy  virtual-machine  images.  With 
virtualization,  “you  won’t  get  rid  of  host- 
based  security  software.  As  we  add  more 


solutions,  we  add  complexity?’  he  said,  advis¬ 
ing  the  Black  Hat  audience  “not  to  be 
dragged  into  the  environment.” 

The  Cisco  factor 

While  virtualization  got  its  fair  share  of 
attention,  it  wouldn’t  be  a  Black  Hat  confer¬ 
ence  without  Microsoft  and  Cisco  being 
bandied  about  (See  related  story,  page  20.) 
This  year,  with  Microsoft  Windows  no  longer 
the  fertile  ground  for  bug-hunting  that  it 
once  was,  researchers  are  looking  at  other 
products  to  hack,  experts  said.  And  Cisco’s 
routers,  with  60%  market  share,  are  an  inter¬ 
esting  target. 

“If  you  own  the  network,  you  own  the  com¬ 
pand’ said  Nicolas  Fischbach,  senior  manager 
of  network  engineering  and  security  with 
COLT  Telecom,  a  European  data-service 
provider.“Owning  the  Windows  PC  is  not  really 
a  priority  anymore.” 

Cisco’s  routers  make  a  harder  target  than 
Windows,  however. They’re  not  as  well  known 
to  hackers,  and  they  come  in  many  configu¬ 
rations,  so  an  attack  on  one  router  might  fail 
on  a  second.  Another  difference  is  that  Cisco 
administrators  are  not  downloading  and  run¬ 
ning  software  constantly  Cisco  has  done  a  lot 
of  work  in  recent  years  to  cut  down  on  the 
number  of  attacks  that  can  be  launched 
against  its  routers  from  the  Internet, 
Fischbach  said.  “All  the  basic,  really  easy 
exploits  you  could  use  against  network  ser¬ 
vices  are  really  gone,"  he  said. The  risk  of  hav¬ 
ing  a  well-configured  router  hacked  by  some¬ 
one  from  outside  of  your  corporate  network 
is  “really  low;”  he  added. 

That  statistic  hasn’t  deterred  the  latest 
crop  of  security  researchers,  however.  Two 
months  ago,  Core  Security’s  Sebastian 
Muniz  showed  new  ways  of  building  hard- 
to-detect  rootkit  programs  for  Cisco  routers, 
and  last  week  his  colleague,  Ariel 
Futoransky,  gave  an  update  on  the  compa¬ 
ny’s  research  in  this  area.  In  addition,  two 
researchers  from  Information  Risk  Man¬ 
agement,  a  security  consultancy,  released  a 
modified  version  of  the  GNU  Debugger, 
which  gives  hackers  a  view  of  what  happens 
when  Cisco  IOS  software  processes  their 
code,  and  three  shell-code  programs  that 
can  be  used  to  control  a  Cisco  router. 

Meanwhile,  Felix  Lindner,  head  of  Recurity 
Labs,  released  his  Cisco  forensics  tool, 
called  C1R  (Cisco  Incident  Response), 
which  he  has  beta-tested  for  the  past  sever¬ 
al  months.  A  free  version  of  the  software  will 
check  a  router’s  memory  for  rootkits,  while 
a  commercial  version  will  be  able  to  detect 
attacks  and  perform  forensic  analysis  of  the 
devices. 

This  software  will  give  network  professionals 
like  Fischbach  a  way  to  go  back  and  look  at  the 
memory  of  a  Cisco  device  and  see  whether  it 
has  been  tampered  with. “I  think  there’s  a  use 
for  it,”  he  said.  “To  me,  it’s  part  of  the  tool  kit 
when  you  do  forensics,  but  it’s  not  the  only  tool 
you  should  rely  on.” 


That  little  DNS  problem 

The  other  dominating  news  from  Black 
Hat  was  the  widely  anticipated  discussion 
about  the  highly  publicized  flaw  in  the  DNS, 
which  is  used  by  computers  to  find  each 
other  on  the  Internet. 

Dan  Kaminsky’s  full-time  job  over  the  past  few 
months  has  been  working  with  software  ven¬ 
dors  and  Internet  companies  to  fix  a  security 
problem  with  DNS.  He  first  disclosed  the  prob¬ 
lem  on  July  8,  warning  corporate  users  and  ISPs 
to  patch  their  software  as  quickly  as  possible. 

Last  week  Kaminsky  disclosed  more  details 
of  the  issue  during  a  crowded  session  at  the 
Black  Hat  conference,  describing  a  dizzying 
array  of  attacks  that  could  exploit  the  DNS.  He 
also  talked  about  some  of  the  work  he’d  done 
to  fix  critical  Internet  services  that  also  could 
be  hit  with  this  attack. 

By  exploiting  a  series  of  bugs  in  the  way  the 
DNS  protocol  works,  Kaminsky  had  figured  out 
a  way  to  fill  DNS  servers  with  inaccurate  infor¬ 
mation  very  quickly  Criminals  could  use  this 
technique  to  redirect  victims  to  fake  Web  sites, 
but  he  described  many  more  possible  types  of 
attacks,  including  how  the  flaw  could  be  used 
to  compromise  e-mail  messages,  software 
updating  systems  or  even  password-recovery 
systems  on  popular  Web  sites. 

In  addition,  although  many  had  thought  that 
SSL  connections  were  impervious  to  this 
attack,  Kaminsky  showed  how  even  the  SSL 
certificates  used  to  confirm  the  validity  of  Web 
sites  could  be  circumvented  with  a  DNS  attack. 
The  problem  is  that  the  companies  that  issue 
SSL  certificates  use  such  Internet  services  as  e- 
mail  and  the  Web  to  validate  their  certificates. 
“Guess  how  secure  that  is  in  the  face  of  a  DNS 
attack,” he  said.“Not  veryTSSL’s  not  the  panacea 
we  would  like  it  to  be,”  he  added. 

Another  major  problem  has  been  what 
Kaminsky  said  is  the  “forgot  my  password” 
attack.  This  affects  many  companies  that  have 
Web-based  password-recovery  systems.  Crim¬ 
inals  could  claim  to  have  forgotten  a  user’s 
password  to  the  Web  site,  then  use  DNS  hack¬ 
ing  techniques  to  trick  the  site  into  sending  the 
password  to  their  own  computer. 

In  addition  to  the  DNS  vendors,  Kaminsky 
said  he  has  worked  with  such  companies  as 
Google,  Facebook,  Yahoo  and  eBay  to  fix  vari¬ 
ous  problems  related  to  the  flaw.“I  do  not  want 
to  see  my  cell  phone  bill  this  month,”  he  said. 

Although  some  conference  attendees  said 
Wednesday  that  Kaminsky’s  talk  was  over¬ 
hyped,  OpenDNS  CEO  David  Ulevitch  said  that 
the  lOActive  researcher  has  performed  a  valu¬ 
able  service  to  the  Internet  community  “The 
entire  scope  of  the  attack  is  even  yet  to  be  fully 
realized,”  he  said.B 
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Juniper  consolidates  mgrnt  software 


BY  TIM  GREENE 

Juniper  Networks  last  week  extended  the 
role  of  its  Network  and  Security  Manager  soft¬ 
ware  to  help  customers  simplify  and  tighten 
network  management. 

The  latest  version  of  the  NSM  platform  sup¬ 
ports  Juniper’s  SSL  VPN  products,  Unified 
Access  Control  (UAC)  NAC  gear  and  EX  enter¬ 
prise  switches.  Previously  the  platform  man¬ 
aged  only  firewalls  and  intrusion-detection 
products.  Later  this  year,  NSM  will  be  ex¬ 
panded  further  to  support  Juniper  M-Series 
multiservice  edge  routers  and  MX-Series 
Ethernet  services  routers  under  NSM. 

The  overhaul  of  NSM  will  help  Juniper  com¬ 
pete  against  Cisco  for  corporate  business,  says 
John  01tsik,an  analyst  with  Enterprise  Strategy 
Group.  “Cisco  has  rich  management  of  its 
devices,”  he  says, “but  it  requires  layering  multi¬ 
ple  software  packages.  NSM  aggregates  func¬ 
tions  and  is  more  elegant.” 


BY  JON  BRODKIN 

EMC  last  week  unveiled  a  new  generation  of 
its  Clariion  midrange  storage-area  network 
disk  array  which  makes  support  for  iSCSI  a 
standard  feature,  offers  new  energy-saving 
software  tools  and  gives  customers  the  option 
to  use  flash  memory 

CX4,  the  first  overhaul  of  the  Clariion  line 
since  May  2006,  is  significant  in  part  because  it 
“acknowledges  that  iSCSI  is  here  to  sta^’  says 
Enterprise  Strategy  Group  analyst  Mark  Peters. 

Moreover,  EMC’s  decision  to  add  flash 
drives  to  midrange  storage  came  surprisingly 
quickly  just  a  few  months  after  EMC  made 
flash  available  on  the  high-end  Symmetrix 
platform,  Peters  says. 

“While  not  unexpected,  the  speed  of  this 
inclusion  in  EMC’s  midrange  platform  is  sur¬ 
prising,  and  will  probably  force  other  vendors 
(for  example  Sun,  NetApp,  Hitachi)  to  com¬ 
pete  faster  than  they  might  have  been  plan¬ 
ning,”  Peters  writes  in  a  brief  on  the  new 
Clariion  system. 

While  CX4  is  on  the  market,  EMC  won’t  make 
the  flash  drives  available  until  October. Sun,  for 
its  part,  has  said  it  will  embed  flash  storage  in 
nearly  every  type  of  server  it  offers  by  year-end. 


EMC’s  Clariion  CX4  can  store  almost  a 
petabyte  of  data. 


The  ability  to  set  policies  across  network  and 
security  gear  will  make  it  possible  for  busi¬ 
nesses  to  set  service-level  policies  across  both 
domains,  Oltsik  says,  giving  added  value  to 
owners  of  broad  Juniper  portfolios. “They  can 
set  virtual-LAN  and  QoS  and  security  policies 
from  one  central  console,”  he  says. 

Many  customers  will  want  to  keep  manage¬ 
ment  rights  separated  by  role  anyway,  says 
Dave  Passmore,  an  analyst  with  the  Burton 
Group. They  may  want  security  staff  to  access 
only  security  devices  and  network  staff  to 
access  only  routers  and  switches,  he  says. 

The  expanded  NSM  will  help  out  with  the 
SA6000  SSL  VPN  gear  used  by  IFC  Corp.,the 
commercial  arm  of  The  World  Bank,  says 
Glenn  Hudler,an  information  officer  with  the 
company. 

With  65  VPN  devices  and  73  Juniper  fire¬ 
walls,  the  new  NSM  will  go  a  long  way  toward 
simplifying  configuration  and  eliminating 


With  iSCSI,  EMC  is  making  support  for  this 
SAN  protocol  a  standard  part  of  all  CX4  sys¬ 
tems,  just  like  Fibre  Channel.  Previously  iSCSI 
was  not  available  on  the  highest-end  Clariion 
box  and  had  to  be  purchased  separately  on 
the  lower-tier  Clariion  systems. 

Now,  “any  customer  who  purchases  CX4 
will  get  both  [Fibre  Channel  and  iSCSI]  pro¬ 
tocols,”  says  EMC  storage  product  marketing 
director  Barry  Ader. 

EMC  is  also  introducing  what  it  calls 
UltraFlex,  which  will  make  it  easier  for  cus¬ 
tomers  to  upgrade  to  such  emerging  tech¬ 
nologies  as  Fibre  Channel  over  Ethernet, 
iSCSI  over  10  Gigabit  Ethernet  and  8Gbps 
Fibre  Channel.  Customers  will  be  able  to 
upgrade  by  purchasing  new  I/O  modules 
from  EMC,  rather  than  an  entire  new  storage 
system,  Ader  says. 

The  CX4  can  scale  up  to  nearly  a  petabyte. 
There  are  four  models,  the  120,  240,  480  and 
960, with  the  number  indicating  the  number  of 
drives  in  each  system.  Each  drive  can  be  as 
large  as  a  terabyte. 

The  least  expensive  Clariion,  with  five  Fibre 
Channel  drives  and  management  software, 
starts  at  $31,000.  With  systems  ranging  to  as 
many  as  960  drives,  the  price  can  reach  hun¬ 
dreds  of  thousands  of  dollars,  Ader  says. 

Flash  drives  are  only  available  on  the  480- 
and  960-drive  versions. 

CX4  includes  various  performance  enhance¬ 
ments,  with  a  64-bit  operating  system  utilizing 
dual-  and  quad-core  processors.  The  bottom 
line  is  CX4  offers  double  the  capacity,  memory 
performance  and  amount  of  logical  unit  num¬ 
bers  of  previous  Clariion  models,  EMC  says.  ■ 


errors,  Hudlersays.“If  we  had  to  manually  send 
configurations  for  the  firewalls,  we  literally 
couldn’t  do  it,”  he  says.  “There  would  be  so 
many  mistakes.” 

The  situation  is  similar  with  the  VPNs.  “The 
chances  of  making  a  mistake  without  NSM  are 
pretty  high,”  Hudler  says. 

The  platform  also  lets  Hudler  define  a  new 
configuration  policy  and  compare  it  to  cur¬ 
rent  configurations.  NSM  tells  him  whether  the 
proposed  changes  do  what  he  intended,  unin¬ 
tentionally  undo  other  policies  or  replicate 
existing  policies. 

The  new  NSM  required  bringing  together 
management  of  disparate  products  that  were 
developed  in-house  or  acquired. 

NSM  was  created  by  NetScreen,  which 
Juniper  bought  in  2004.  NetScreen  came  to 
Juniper  with  firewalls,  IPSec  and  SSL  VPNs,  and 
intrusion-detection  gear,  some  of  which  was 
acquired  as  well.  For  instance,  NetScreen 
bought  its  SSL  VPN  gear  when  it  purchased 
Neoteris  in  2003. 

To  bring  management  of  this  smorgasbord 
of  devices  under  NSM,  Juniper  instituted  an 
XML  interface  called  device  management 
interface  (DMI).  NSM  was  adapted  to  talk  to 
DMI,  and  that  capability  makes  it  possible  for 
Juniper  to  add  product  lines  to  the  manage¬ 
ment  platform  quickly  the  company  says. 

Juniper  has  made  its  UAC  technology  com¬ 
patible  out  of  the  box  with  Microsoft’s  Network 
Access  Protection  (NAP)  NAC  technology  This 
means  customers  can  use  elements  of  one 
with  elements  of  the  other. 

Rather  than  distribute  Juniper’s  UAC  client, 
the  NAP  client  that  comes  built  into  Windows 
XP  and  Vista  can  handle  reporting  on  the  sta¬ 
tus  of  endpoints. 

UAC  has  supported  NAP  for  more  than  a 
year,  based  on  public  demonstrations,  but  that 
required  complex  configuration.  Now,  the  sup¬ 
port  is  standard  with  UAC. 

Along  with  NAP  interoperability,  new  UAC 
software  makes  it  simpler  to  install  and  deploy 
UAC  client  software.  It  also  makes  it  possible 
for  UAC  to  auto-remediate  more  third-party 
products,  such  as  antivirus  software,  and 
enables  UAC  to  scale  to  hundreds  of  thou¬ 
sands  of  endpoints  at  a  time. 

Juniper  also  has  broadened  the  number  of 
devices  that  can  send  security  input  to  its 
Intranet  Controller,  the  UAC  policy  controller, 
to  isolate  misbehaving  endpoints. 

The  company’s  Coordinated  Threat  Control 
architecture  lets  various  devices  on  the  net¬ 
work  report  to  the  Infranet  Controller  about 
security  incidents.  The  controller’s  policies 
can  call  for  quarantining  the  offending 
machine  or  restricting  its  access  to  the  net¬ 
work.  In  extreme  cases,  its  session  can  be  cut 
and  further  access  attempts  denied  until  the 
attack  can  be  analyzed.  ■ 
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Merrill  Lynch  going  stateless 

Advantages  include  shared  data-center  utilities,  cost  reductions 


BY  JOHN  FONTANA 

Financial  giant  Merrill  Lynch  is  building  a 
stateless  data  center  where  it  can  combine 
capacity  dynamically  with  operating-system 
and  application  components  to  meet  its  com¬ 
puting  needs  in  real  time. 

“What  we  want  to  get  to  is  someone  who 
comes  in  and  says, ‘I  need  X  amount  of  capac¬ 
ity  I  need  it  for  this  amount  of  time,  1  need  it 
24/7,  or  I  need  20  minutes  of  capacity  and  at 
the  end  of  the  month,  I  need  100  units  of 
capacity’  as  opposed  to  ‘1  need  X  number  of 
servers’”  said  Jeffrey  Birnbaum,  managing 
director  and  chief  technology  architect  at 
Merrill  Lynch.  “This  is  the  shared  utility-com¬ 
puting  model.  It  is  moving  away  from  the  dedi¬ 
cated  [server  or  desktop]  idea.” 

Birnbaum  made  his  remarks  during  the 
opening  keynote  address  of  the  Linux- 
World/Next  Generation  Data  Center  confer¬ 
ence  last  week.  (Disclosure:  The  conference  is 
run  by  Network  World's  parent  company  IDG). 

Stateless  and  cloud  computing  have  some 
overlap  and  stateless  will  intersect  with  the 
cloud,  Birnbaum  said.  For  too  long  that  state 
has  been  closeted  in  individual  servers  and 
desktops,  which  has  directly  contributed  to  ris¬ 
ing  IT  costs,  he  added. 

The  central  idea  of  stateless  computing  “is 
that  you  have  made  access  to  all  applications 
ubiquitous  by  placing  them  in  an  organized 
file  system  or  namespace,  much  like  the  World 
Wide  Web  is  a  namespace,”  Birnbaum  said.  It  is 
just  like  using  the  gmail.com  URL  to  find 
Google  mail,  he  said.  “We  can  do  the  same 
thing  with  applications  even  if  you  are  talking 
about  an  enterprise,”  he  added. 

Merrill  Lynch  is  building  such  a  namespace 
and  file  system  and  a  set  of  tools  to  manage 
that  namespace,  Birnbaum  said. “We  call  it  the 
enterprise  file  system,  but  it  could  be  called  the 
application  deployment  system,”  he  said. 

Merrill  Lynch  has  vetted  the  concept,  but  the 
company  is  still  in  the  development  stage, 
Birnbaum  said.  “The  key  to  this  thing  is  ver¬ 
sioning.  The  idea  is  you  put  everything  you  do 
in  an  application  library  and  you  put  it  in  this 
file  system.  So,  therefore,  you  never  have  the 
problem  of  the  software  stack  or  individual 
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Jeffrey  Birnbaum  told  LinuxWorld  atten¬ 
dees  that  Merrill  Lynch  is  moving  toward 
a  shared  utility-computing  model. 


execution  environments.That  is  the  wrong  con¬ 
cept,”  he  said. 

With  all  components  in  a  version  namespace, 
companies  would  build  applications  using  that 
namespace  so  all  their  dependencies  can  be 
referenced.  “Every  application  would  know 
what  its  dependencies  are,  and  they  would  be 
serviceable  through  this  global  processing.That 
is  a  key  concept,"  Birnbaum  said. 

Merrill  Lynch  has  four  data  centers  around 


BY  JON  BRODKIN 

An  upgrade  to  the  Google  Search  Appliance 
for  businesses  lets  one  box  index  10  million 
documents,  more  than  triple  the  previous 
amount,  and  offers  new  user  features  includ¬ 
ing  personalized  alerts  and  results  ranking. 

The  hardware-software  bundle, based  on  Dell 
servers,  sits  behind  a  customer’s  firewall  and 
crawls  content  in  corporate  intranets,  Web 
servers,  portals,  file  shares,  databases,  content 
management  systems  and  business  applica¬ 
tions.  Previously  one  box  could  crawl  as  many 
as  3  million  documents.  The  appliance’s  mini¬ 
mum  capacity  is  500,000  documents,  but  many 
customers’  search  needs  extend  beyond  10 
million,  says  Google  lead  enterprise-search 
product  manager  Nitin  Mangtani. 

With  competing  software-based  search  prod¬ 
ucts  from  such  vendors  like  Autonomy  and  the 
Microsoft  subsidiary  Fast,  an  enterprise  would 
need  several  pieces  of  hardware:  a  Web  server, 
an  application  server  and  a  database  server  for 
indexing,  says  Enterprise  Strategy  Group  ana¬ 
lyst  Brian  Babineau. 

“It’s  literally  like  managing  a  mini-data  cen¬ 
ter  if  you  have  to  scale  to  10  million  docu¬ 
ments  [with  other  search  products],”  Mangtani 
argues.  The  upgraded  Google  appliance  will 
be  available  at  the  beginning  of  September. 

Ten  million  documents  on  one  box  sounds 


the  globe,  and  will  use  a  combination  of  repli¬ 
cation  and  caching  to  synchronize  its  file  sys¬ 
tem  and  ensure  performance,  Birnbaum  said. 
“That  is  how  you  scale  a  global  file  system,”  he 
said.  Even  virtual  machines  would  be  stateless. 
“You  stream  the  components  of  the  applica¬ 
tion  and  the  operating  system  to  the  VM  and 
then  [Remote  Desktop  Protocol]  the  applica¬ 
tion  to  the  desktop  [or  server],” he  said. 

A  key  to  this  concept  is  a  placement  engine, 
which  Merrill  Lynch  is  trying  to  create, 
Birnbaum  said. The  engine  would  find  compo¬ 
nents  and  deploy  the  application  within  the 
data  enter  where  it  would  run  most  effectively 
based  on  its  constraints,  such  as  the  amount  of 
memory  it  requires,  the  number  of  CPUs,  the 
amount  of  time  it  will  be  up,  and  on  which  sub¬ 
net  and  near  which  data  repository  it  needs  to 
reside.The  placement  engine  knows  about  all 
the  available  resources,”  he  said. 

Three  factors  are  helping  drive  this  concept 
toward  reality  Birnbaum  said:  10G  Ethernet 
that  can  handle  the  load  of  stateless  and  cloud 
computing,  a  Layer  2  switch  environment,  and 
less  of  a  need  for  redundant  hardware  in  the 
stateless  architecture.  ■ 


Google’s  Search  Appliance  has  tripled 
its  capacity. 

impressive,  but  there’s  one  caveat,  Babineau 
notes.  The  Google  appliance  represents  a  sin¬ 
gle  point  of  failure.  If  you  need  clustering  and 
high  availability  you’ll  have  to  buy  two,  he  says. 

Standard  configurations  of  the  Google  appli¬ 
ance  allow  indexing  of  as  many  as  30  million 
documents,  a  number  unchanged  from  previ¬ 
ous  versions.  Indexing  30  million  documents 
requires  12  servers  in  the  upgraded  version, 
just  as  it  did  in  previous  editions,  because 
extra  hardware  is  needed  for  high  availability 
and  backup. 

When  Forrester  Research  analyzed  the  enter¬ 
prise  search  market  in  May,  it  said  Google  com¬ 
petes  effectively  with  ease-of-use  and  low 
prices  but  the  most  impressive  technical  capa¬ 
bilities  are  found  in  rival  products  from 
Autonomy,  Fast,  Endeca  and  Vivisimo. 

The  entry-level  version  of  the  appliance,  in¬ 
cluding  two  years  of  support,  starts  at  $30,000. 
Google  said  it  would  not  disclose  pricing  of  the 
box  that  indexes  10  million  documents.  ■ 


Google  upgrades  Search  Appliance 
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What  you  don’t  know  about  security  can  hurt  you 
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attention. 

The  first  is  that  while  54%  of  the  respon¬ 
dents  have  dealt  with  a  security  incident, 
only  11%  of  those  disclosed  the  incident 
publicly  or  reported  it  to  authorities. The  sec¬ 
ond  is  that  86%  of  the  respondents  said  the 
Storm  worm  had  no  impact  on  their  organi¬ 
zation. These  two  seemingly  contradictory 
data  points  show  under-reporting  and  over¬ 
reporting  of  threats.  Let’s  take  a  look. 

First,  54%  said  they  were  affected  by  a  securi¬ 
ty  incident.This  percentage  is  similar  to  the 
numbers  Nemertes  Research  has  found, 
although  the  outcome  depends  on  how  the 
study  defines  “incident.’Tf  one  counts  malware 
infections,  the  number  increases  quite  a  bit. 
Still,  it  seems  that  most  companies  are  affected 
negatively  by  security  incidents.  What  is  not 
immediately  obvious  is  that  this  represents 
only  the  small  subset  of  companies  that  are 
aware  a  security  incident  has  occurred. 


My  experience  conducting  forensic  investi¬ 
gations  is  that  security  incidents  very  often  go 
unnoticed  for  months  or  even  years.  Many 
probably  are  never  noticed.  If  a  lot  of  inci¬ 
dents  go  unnoticed,  and  of  those  that  are 

My  experience  conducting 
forensic  investigations  is  that 
security  incidents  very  often 
go  unnoticed  for  months  or 
even  years. 

noticed,  only  a  tiny  minority  are  ever  made 
public,  what  we  see  in  the  media  is  only  a 
pale  shadow  of  a  much  larger  threat. 

Second,  86%  of  the  respondents  said  they 
were  not  affected  by  the  Storm  worm. The 
analysis  of  this  data  seemed  to  suggest  that 
Storm  is  overhyped  in  the  media,  because  its 
real-world  incidence  reportedly  is  low.  I  read 
this  to  mean  the  exact  opposite.The  defining 
characteristic  of  Storm  is  that  it  operates 
silently  and  is  hard  to  detect,  even  if  you  go 
looking  for  it.  I  bet  that  a  fair  number  of  that 
86%  have  a  Storm  infection  in  their  infrastruc¬ 
ture  and  don’t  know  about  it. 

Companies  probably  are  getting  better  at 
the  operational  aspects  of  security:  monitor¬ 
ing,  correlating  and  alerting.They  probably 
are  noticing  more  of  the  bad  things  occur¬ 


ring  on  their  systems.  At  the  same  time,  how¬ 
ever,  attacks  deliberately  have  become  much 
more  subtle,  silent,  discreet. 

It’s  cynical  to  assume  that  the  absence  of 
an  obvious  threat  could  be  evidence  of 
more  sophisticated  silent  attacks  flying 
under  the  radar.  Nevertheless,  all  the  great 
security  professionals  I  know  are  both  a  bit 
cynical  and  a  bit  paranoid.  Not  all  the  zom¬ 
bies  and  stolen  identities  come  from  con¬ 
sumer  machines.  Some  of  them  may  come 
from  your  systems.  What  you  don’t  know 
about  what’s  on  your  systems  can  hurt  you. 

Antonopoulos  is  senior  vice  president  and 
founding  partner  at  Nemertes  Research,  an 
independent  technology  research  firm.  He  can 
be  reached  at  andreas@nemertes.com. 


ONLINE:  Security  and  compliance 

Today's  hype-connected  enterprises 
require  technologies,  strategies  and 
architectures  not  even  imagined  in  the 
wired  world  Learn  more  about  an 
always-on  defense  that’s  active, 
responsive,  realistic  and  fully  compli¬ 
ant.  Attend  IT  Roadmap:  Dallas  on 
Sept.  23.  Qualify  to  attend  free  at: 

www.nwdocfinder.com/5731 


I’ve  just  received  an 
early  release  of  a 
security  survey  con¬ 
ducted  by  the  RSA 
Conference  in  which 
security  professionals 
were  polled  about 
their  attitudes  and 
experiences  around 
information  security 
There  were  two  find¬ 
ings  that  caught  my 
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NEWS  ANALYSIS 


Cisco  CSO  says  security  is  growing  up 


BY  ROBERT  MCMILLAN,  IDG  NEWS 
SERVICE 

John  Stewart  doesn’t  talk  like  your  typical 
corporate  executive.  He  says  that  his  compa¬ 
ny,  Cisco,  has  been  lucky  when  it  comes  to 
security  and  that  its  Self-Defending  Network 
marketing  push  has  painted  “a  big  bull’s-eye” 
on  its  products. 

Then  again,  Stewart  has  more  important 
things  to  worry  about.  As  CSO,  he’s  responsible 
for  directing  Cisco  corporate  and  business- 
unit  security  practices.That  means  he  gets  the 
call  whenever  there’s  an  important  security 
bug  in  Cisco’s  products,  and  would  if  hackers 
were  to  hit  the  company  Web  site.  The  way  he 
puts  it,  it’s  his  job  to  help  lock  down  Cisco’s 
products  before  he’s  forced  to  deal  with  what 
he  calls  “the  burning  platform”  —  a  serious 
flaw  or  attack  against  the  most  widely  used 
routers  on  the  Internet. 

Maybe  Cisco  needs  someone  like  Stewart  to 
steer  clear  of  the  mistakes  that  other  major 
technology  companies  have  made  on  secu¬ 
rity  Take  Microsoft,  for  example.  It  first  took  a 
hostile  attitude  toward  security  researchers 
and  critics,  but  that  backfired  and  helped 
cement  the  impression  that  the  company  was 
ignoring  security  bugs  rather  than  trying  to  fix 
them.  Microsoft  ultimately  reversed  its  course, 
but  not  until  its  reputation  took  a  serious  hit. 

On  a  smaller  scale,  Cisco  has  made  a  similar 
kind  of  reversal.  The  company  angered  hack¬ 
ers  in  2005  by  suing  researcher  Mike  Lynn  after 
he  showed  how  it  was  possible  to  run  unau¬ 
thorized  shellcode  software  on  a  Cisco  router. 

Instead  of  kicking  off  a  new  era  of  Cisco 
hacking,  however,  the  Lynn  episode  was  more 
of  an  aberration.  Cisco  research  was  quiet  for 
the  next  few  years. 

Stewart  says  that  Cisco  has  been  “a  little 
lucky”  in  that  it  has  not  had  major  security 
flare-ups,  but  he’s  not  taking  anything  for 
granted.  He  invited  IDG  News  Service  to  his 
San  Jose,  Calif.,  office  to  talk  about  the  Cisco 
threat  landscape.  Following  is  an  edited  tran¬ 
script  of  the  interview. 

Cisco  got  a  lot  of  attention  at  Black  Hat 
2005.  What’s  your  take  on  things  three 
years  later? 

Part  of  the  reason  all  the  attention  was 
painted  on  us  at  Black  Hat  three  years  ago 
is  because  we  created  a  firestorm  of,  frankly, 
all  sorts  of  complicated  issues  that  felt  like 
Cisco  was  suppressing  communication  and 
research. 

I  think  arguably  we  did  some  silly  things,  like 
trying  to  put  the  genie  back  in  the  bottle, 
which  you  can’t  do.  We  were  trying  to  do  it  for 
the  right  reasons:  protection  of  intellectual 
property  and  our  customers.  But  how  it  came 
out  just  completely  went  sideways. 

And  in  many  respects,  we  did  it  anony¬ 
mously.  It  was  “a  Cisco  spokesperson.”  We  sort 


of  hid  behind  an  anonymity  context,  which  I 
think  really  goofed  everything. 

This  is  why  1  personally  sponsored  Black  Hat 
at  the  platinum  level  ever  since.  Because  I  think 
we  had  some  atonement  to  do  and  go,  “Look, 
our  bad. That  was  not  the  way  to  do  that  one.” 

Why  do  you  think  the  Cisco  research  dried 
up  like  it  did? 

There  are  a  couple  of  reasons.  The  first  is, 
a  lot  of  this  is  not  remote  exploitation,  and  a 
lot  of  what  the  research  is  about  in  any 
community  is, “How  do  you  do  it  remotely?” 


IRM’s  [Information  Risk  Management’s] 
research,  Sebastian’s  [Muniz,  a  researcher 
with  Core  Security  Technologies]  research, 
and  to  a  certain  degree,  Michael  Lynn’s 
research,  although  it  had  a  slight  remote 
variant,  it’s  not  stable  remote.  And  that’s 
where  the  real  game  is. 

You  have  got  to  figure  out  a  way  to  get  it  in 
without  being  on  the  console.  And  that’s  what 
most  of  the  development’s  been  around  — 
how  do  you  do  it  on  the  console  —  at  least  for 
Cisco,  anyway 

And  the  second  thing  is,  you  want  it  to 
work.  You’re  not  trying  to  knock  it  out 
because  you  need  the  network  up  so  you 
can  get  to  the  endpoint.  So,  I  think  we  sort  of 
get  a  pass  because  no  one  wants  to  monkey 
with  the  infrastructure  that  they’re  using.  It’s 
like  screwing  up  the  freeway  while  you’re 
trying  to  go  to  a  different  city  That’s  kind  of  a 
goofy  thing  to  do. 

Microsoft  has  been  very  public  about  how 
they  changed  the  company  to  make  secu¬ 
rity  a  priority.  What’s  the  story  at  Cisco? 
How  did  the  security  program  get  built? 

We  were  probably  in  the  same  space.  Many 
companies,  including  our  own,  started  with 
building  stuff  first  that  solved  communica¬ 
tions  problems  and  thinking  about  the  safety 
of  communications  afterwards. 

About  five  years  ago,  we  were  fighting  the 
company,  my  team.  Mostly  in  the  informa¬ 
tion  security  business.  We  were  the  “no” 
organization,  the  ivory  tower.  That’s  a  dan¬ 
gerous  place  to  be  because  my  take  is  we 
ought  to  be  a  consultative  fulfillment  arm, 


not  an  adjudicator. 

So,  we  changed  a  lot  of  it  and  we  started 
injecting  things,  like  “You’re  going  to  have 
expertise  in  your  team.  We’re  not  going  to  be 
even  in  the  middle,  so  that  way  you  can  invest 
the  expertise  for  what  you  need  and  we’re  not 
holding  you  up  or  bringing  you  into  a  slower 
position.” 

The  second  thing  —  that  can’t  be  underesti¬ 
mated  —  is  we  were  getting  ready  in  2002  to 
launch  self-defending  networks,  which  —  like 
it  or  hate  it  as  a  slogan  —  effectively  is  a  big 
bull’s-eye  on  our  forehead. 


Like  Oracle’s  unbreakable  Linux? 

In  fact,  Mary  Ann  Davidson  over  at  Oracle 
dropped  me  a  note  and  said,  “Thank  you 
very  much  for  coming  up  with  a  slogan  that 
takes  the  pressure  off  what  we’ve  done,” 
[laughs]  as  if  I  had  anything  to  do  with  the 
announcement. 

And  then  third,  we’ve  really  had  a  footprint 
grow.  We  got  used  in  more  and  more  places, 
and  for  things  we  never  imagined  we’d  be 
used  for.  We’re  transitioning  healthcare  com¬ 
munications,  we’re  transitioning  site-to-site 
communications  for  the  military  We’re  doing 
all  these  wild  things  that  20  years  ago  we  did¬ 
n’t  think  about. 

Did  you  do  something  like  adopt  a  secure 
development  life  cycle  or  change  the  way 
you  built  products? 

We’re  not  mature  in  this.  We’re  in  the  awk¬ 
ward  teenage  phase.  We’re  testing  at  the  end 
of  the  development  process  and  we’re  figur¬ 
ing  out  from  that  data,  how  do  you  go  back¬ 
wards  into  the  definition  process.  Now  some 
definition  happens  anyway.  So,  for  example, 
there  are  some  baseline  requirements  of 
every  product  we  built.  However,  I  still  say 
there’s  a  lot  to  be  learned.  When  you  think 
you’ve  got  it  right  and  you  build  it  and  you 
test  it,  the  learnings  from  the  test  should  ben¬ 
efit  the  next  thing  you  build. 

We  haven’t  adopted  a  secure  development 
life  cycle  like  Microsoft  yet.  We  haven’t 
nailed  up  equally  on  all  product  lines  in  a 
very  consistent  methodical  measurable  way, 
and  that’s  why  I  say  we’re  in  that  awkward 
teenage  phase.  ■ 


**Many  companies,  including  our  own,  started 
with  building  stuff  first  that  solved  communica¬ 
tions  problems  and  thinking  about  the  safety  of 
communications  afterwards.55 


John  Stewart 

CSO,  Cisco 


20  •  AUGUST  11,  2008  •  www.networkworld.com 


TECH  UPDATE 

An  inside  look  at  technologies  and  standards 

Practicing  safe  SOA 

BY  IGOR  KHURGIN 

Companies  embarking  on  efforts  to  build  loosely  coupled  service- 
oriented  architectures  inevitably  have  to  tackle  the  issue  of  secur¬ 
ing  their  SOA  service  infrastructure,  and  many  turn  to  XML  security 
appliances  to  get  the  job  done. 


Why  choose  an  XML  appliance  to  protect 
and  safely  expose  your  SOA  data  services? 
Without  dedicated  hardware  support  it  is 
nearly  impossible  to  withstand  denial-of-ser- 
vice  attacks  and  to  provide  the  high  availabil¬ 
ity  necessary  to  ensure  data  confidentiality, 
integrity  and  nonrepudiation. 

An  XML  security  appliance  is  positioned  in 
the  DMZ  between  firewalls,  and  is  the  only 
device  visible  to  outside  clients.  It  acts  as  a 
proxy  and  performs  all  necessary  security 
operations,  including  SSL  socket  termination, 
credential  validation  and  data  verification. 

The  XML  security  appliance  is  then  the  only 
device  permitted  by  the  second  firewall  to 
establish  connections  to  internal  SOA  end¬ 
points.  Performing  security  operations  outside 
the  endpoints  means  the  SOA  service  no 
longer  needs  to  implement  security  functions 
and  will  not  be  compromised,  and  decouples 
the  security  infrastructure  policy  from  the  end¬ 
points  and  therefore  can  be  easily  controlled 
by  the  infrastructure  security  team. 

XML  security  appliances  range  in  price  from 
$30,000  to  $70,000,  and  the  feature  sets  vary 
widely  These  are  the  most  important  features  to 
understand. 

•  Transport-level  security:  Inbound  SSL/TLS 
socket  termination  and  outbound  SSL/TLS 
socket  initiation  with  support  for  server-based 
and  mutual  authentication  has  been  one  of 
the  cornerstones  of  Web  security  and  the  most 
popular  way  to  achieve  data  confidentiality 
integrity  and  nonrepudiation 

•  Application  security:  WS-Security  Standard 
Support  (1.0  and  1.1)  is  a  key  standard  that 
defines  how  to  secure  Web  service  messages. 
In  its  current  version  (1.1),  the  standard  defines 
support  for  several  authentication  profiles: 
Username  token,  X.509,  Kerberos,  SAML  and 
REL  token.  It  also  incorporates  support  for 
Simple  Object  Access  Protocol  messages  with 
attachments. 

•  Message  content  inspection  and  valida¬ 
tion:  Commonly  supported  features  include 
the  ability  to  perform  schema  document- 
definition  validation  and  policy-based  con¬ 
tent  and  parameter  filtering. 

•  XML  threat  protection:  Will  your  appli¬ 
ance  protect  against  attacks  that  target  such 
Web  service  interface  vulnerabilities  as  SQL 
injection,  oversized/recursive  payloads  and 
schema  poisoning? 


•  Application  access  management:  Also 
known  as  authentication,  authorization  and 
accounting,  this  feature  provides  protection 
against  unauthorized  access  and  maintains 
access  logging  information. 

•  Single  sign-on  support:  Ability  to  consume 
and  generate  SAML/XACML  assertions  to  facil¬ 
itate  single  sign-on  with  browser  artifact  (SAML 
1.1)  and  Web  services  profiles  (SAML  2.0). 

No  single  solution  works  for  all  enterprises. 
Five  key  areas  should  be  considered. 

•  Hardware:  Weigh  the  need  for  speed 
against  the  cost  considerations  of  customiza¬ 
tion  and  performance  enhancing  features. 
Some  appliances  are  built  on  standard  server 
platforms,  while  others  are  customized  and 
tend  to  be  slower  to  adopt  advances  in 
processors  and  chipsets. 

•  Support  for  security  standards:  The  degree 
to  which  the  common  set  of  standards  is  sup¬ 
ported  varies.  It  is  not  uncommon  for  vendors 
to  offer  partial  support  for  certain  security  stan¬ 
dards.  For  instance,  SAML  assertion  consump¬ 
tion  is  almost  universally  supported  but  SAML 
generation  is  not. Vendors  also  get  picky  about 
what  SAML  assertions  they  support  (most  sup¬ 


port  authentication,  and  only  a  few  support 
authorization  and  attribute). 

•  Extensibility  and  ease  of  integration:  Look 
at  extensibility  in  terms  of  the  scale  and  effort 
involved.  Common  extensions  include 
enabling  new  custom  data  sources,  creating 
custom  business  rule  processing  tasks  and 
adding  support  for  a  protocol.  Ask  whether  the 
XML  appliance  has  features  commonly  found 
in  enterprise  service  bus. 

•  Scalability  and  performance:  Make  sure  the 
role  defined  fits  the  sweet  spot  of  the  product. 
For  instance,  if  the  appliance’s  main  role  is  to 
perform  XML  threat  protection  and  data  vali¬ 
dation,  choose  an  XML  appliance  with  a  hard- 
ware-based  XML  processing  capability 

•  Integration  with  IT  infrastructure:  Make 
sure  your  appliance  will  integrate  smoothly 
into  your  IT  ecosystem.  Every  organization 
standardizes  on  a  set  of  user  credential 
repositories,  infrastructure  monitoring  and 
management  tools.  The  XML  appliance’s 
support  of  a  specific  IT  infrastructure  can 
vary  widely. 

If  you  map  your  business  and  IT  needs 
against  the  vendor’s  features  and  follow  a  struc¬ 
tured  process  for  vendor  selection,  you  are 
practicing  safe  SOA  and  capturing  the  best  of 
both  worlds  —  flexibility  and  security 

Khurgin  is  an  SOA  practice  manager  for 
Acumen  Solutions,  a  business  and  technology 
consulting  firm.  He  can  be  reached  at  ikhur 
gin  @acumensolutions.  com. 


Deploying  XML  security  appliances 

Appliances  typically  are  positioned  in  the  DMZ  between  firewalls,  and  become 
the  only  device  visible  to  outside  clients  and  the  only  device  permitted  to  connect 
to  internal  service-oriented-architecture  endpoints.This  eases  management  by 
un-coupling  security  policy  from  endpoints,  and  means  SOA 
services  no  longer  need  to  implement  security  functions.  datacenter 
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.INFRASTRUCTURE  LOG 


_DAY  64:  We’re  rushing  our  new  business  capabilities  to  the 
Web  so  fast  that  we  might  be  taking  unnecessary  risks. 

Are  we  secure?  Are  we  compliant?  How  prepared  are  we  for  the 
future?  I  wonder  what’ s  waiting  for  us  around  the  corner. 

.Maybe  I  just  have  an  overactive  imagination. 

.DAY  67:  The  answer:  IBM  Rational  AppScan.  It  gives  us  the 
tools  we  need  to  build  security  and  compliance  into  our 
applications  from  the  start  and  throughout  their  entire 
lifecycle.  Now  we  can  find  the  vulnerabilities  and  security 
issues  in  our  apps  and  Web  sites  and  fix  them  before  they 
become  a  problem.  I’ve  never  felt  safer. 

.Maybe  now  I  can  turn  the  night-light  off  in  my  office. 


Download  a  free  trial  of  IBM  Rational  AppScan  at: 

IBM.COM/TAKEBACKCONTROL/SECURE 


What  readers  sync 


Wow.  Little  did  I  know  that  synchroniza¬ 
tion  was  such  a  big  deal  (I  discussed  a 
sync  product  a  couple  of  weeks  ago). 
I've  been  flooded  with  responses  and  have 
sent  out  more  than  100  invites  to  the  Dropbox 
file  synchronization  service  I  reviewed.  If  you 
requested  an  invite  but  haven’t  seen  a  response 
yet,  send  a  message  to  gearhead@gibbs.com 
with  the  subject  “dropbox”  (if  you  sent  me  a 
message  without  that  as  the  subject  I  may  have  missed  it). 

Reader  Craig  Anderson  (Tampa,  Fla.)  asked  if  1  had  ever  used  or 
reviewed  the  free,  open  source  software  synchronization  package 
called  rsync  (Yes  and  yes). 

Craig  said  his  organization  has  used  rsync  for  years  as  the  basis  of  its 
disk-to-disk-to-tape  backup  system:“We  have  several  small  remote 
offices  with  local  Windows  servers  that  we  mirror  to  HQ  (to  a  white- 
box  running  Linux  with  SATA-RA1D)  using  rsync,  and  then  back  up  the 
mirrors  to  tape.”  Nice  solution  and  it  has  the  advantage  that  you  own 
and  control  the  entire  thing.That  said.it  also  has  the  disadvantage  that 
you  own  and  control  the  entire  solution. 

Craig  continued:“rsync  can  run  as  a  command-line  or  as  a  *nix  dae¬ 
mon  or  as  a  Windows  service  in  both  directions. That’s  right,  the  ser¬ 
vice  can  run  as  a  source  or  destination  on  a  per ‘share’  basis.  It  can 
even  run  inside  of  SSH.” 

If  you  haven’t  checked  out  rsync  you  should  first  peruse  its  Wikipedia 
entry  and  then  visit  its  Web  site  (www.nwdocfinder.com/6130).  Rsync  is 
a  very  active  project,  and  the  latest  version,  rsync  version  3.0.4pre2,was 
just  released  on  Aug.  2.  For  Windows  there’s  a  very  good  port  called 
cwRsync,  as  well  as  ports  for  Red  Hat  and  Fedora,  i386  Linux,  and 
Sparc/Solaris  and  X86/Solaris.  For  Mac  OS  X  there’s  a  sophisticated 


port  called  RsyncX  with  wizard-style  “assistants”  for  performing  various 
client-  and  server-orientated  operations,  drag  and  drop  support,  and 
the  ability  to  create  a  bootable  copy  of  an  OS9  or  OS  X  system. 

The  RsyncX  site  provides  a  variant  called  RsyncXCD.This  utility  is 
based  on  the  latest  release  of  bootCD,  which  “will  let  you  connect  to 
your  server  as  a  Mac  OS  X  client,  and  cleanly  install  your  image  folder 
onto  a  volume  that  later  you  will  boot  from.” 

In  response  to  my  question  about  what  people  are  using  for  syn¬ 
chronization,  reader  Jim  Addlesberger  cited  FolderShare:“The  product 
is  easy  to  use  and  reliable.  I  sync  important  customer  and  vendor  files, 
as  well  as  my  QuickBooks,  between  my  desktop  and  laptop  using 
FolderShare.  I  use  ACT  as  my  customer  database  (some  20,000  con¬ 
tacts)  and  I  use  the  internal  ACT  sync  to  keep  that  up  to  date.” 

But  Jim  has  a  problem:  FolderShare  can’t  synchronize  Outlook.  He 
asks:“Is  there  a  way  to  [keep  two  machines  in  different  cities  totally  syn¬ 
chronized],  including  Outlook?  And  is  there  an  economical  way  to 
remotely  turn  them  off  and  on  without  being  physically  there?” 

I’m  thinking  that  rsync  could  be  part  of  the  answer,  but  it  seems  Jim 
isn’t  alone  in  trying  to  solve  this  problem  —  for  example, 

Slipstick.com  has  a  page  of  solutions  devoted  to  this. 

Actually  Jim, you  could  avoid  some  of  the  pain  by  using  Gmail’s 
IMAP  service  so  you  could  use  any  number  of  copies  of  Outlook  in 
different  locations  and  get  full  access  to  all  of  your  e-mail.  And  you 
could  also  check  your  email  from  anywhere  using  the  Web  client. 

In  addition,  synchronizing  calendars  can  be  done  via  Google 
Calendar  with  Google  Calendar  Sync,  and  for  shared  task  lists  there 
are  no  end  of  really  good  online  services  such  as  Hiveminder. 

So,  do  you  have  any  suggestions  for  Jim? 

Gibbs  is  suggestive  in  Ventura,  Calif.  ( gearhead@gibbs.com ). 


GEARHEAD 

Mark  Gibbs 
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COOLIOOLS 


The  scoop:  Das  Keyboard  Professional  and 
Ultimate  keyboards,  by  Metadot,  about  $130. 
What  they  are:  The  original  Das  Keyboard  was  a 
very  cool  wired  keyboard  with  the  distinction  of 
being  all  black,  including  the  lack  of  any  labels 
indicating  what  keys  were  what  letters  or  char¬ 
acters.  Aimed  at  professional  touch-typists  and 
other  geeks  who  thought  this  idea  was  cool 
(yours  truly  included),  beyond  this  “gimmick” 
the  keyboard  had  a  really  nice  feel  and  touch. The  company  has  updat¬ 
ed  the  keyboards  with  two  new  models.The  new  keyboards  are  smaller 
in  surface  area,  and  have  a  new  “click”  feel  thanks  to  gold-plated 
mechanical  key  switches  (on  the  inside  of  the  keyboard,  there’s  no  gold 
that  you  can  see).  For  those  who  were  annoyed  by  the  lack  of  key  labels, 
the  Professional  version  includes  key  labels;  for  those  who  want  to  con¬ 
tinue  the  all-black  look  and  feel  without  labels,  go  with  the  Ultimate. 

Why  it’s  cool:  While  the  clickier  keys  take  some 
getting  used  to,  after  a  while  I  did  feel  that  I  Das  Keyboard 

could  type  even  faster.  I  also  liked  the  Ultimate 

inclusion  of  two  USB  2.0  ports  on  the 
side  of  the  keyboard,  although  the 
company  warned  that  while  both 
ports  can  be  active  at  the  same 
time,  one  of  the  ports  could 
temporarily  shut  down  if  too 
much  power  consumption 
was  occurring. 

Some  caveats:  1  preferred  the  larger 
base  of  the  original  Das  Keyboard,  as  I  didn’t 
need  one  of  those  ergonomic  gel-based  wrist  rests. 

With  the  smaller  design  (the  new  ones  don’t  angle  up  as 


much),  I  had  to  go  digging  around  for  a  new  wrist  rest. 

Grade:  Professional,  ★★★  stars  (out  of  five);  Ultimate,  ★★★★ 

The  scoop:  Outi  earphones,  by  Zelco,  about  $1 10. 

What  it  is:  Outi  earphones  are  designed  to  clip  comfortably  and 
securely  on  the  outer  ear,  transmitting  vibrations  from  your  music 
through  your  ear’s  skin  and  cartilage. The  company  claims  that  this  lets 
you  feel  the  music  in  addition  to  hearing  it, while  also  avoiding  ear  dam¬ 
age  through  headphones  inserted  inside  your  ear.  A  button  on  the 
device  allows  for  three  levels  of  vibration  settings.  The  headphones 
come  with  a  power  charger  /  USB  charger,  so  you  can  recharge  the 
headphones’  battery  through  a  USB  port  or  wall  outlet. 

Why  it’s  cool:  If  you’re  concerned  about  hearing  loss  from  listening  to 
your  iPod,  these  let  you  listen  to  music  without  jamming  stuff  into  your 
ears.  In  addition,  when  wearing  these,  you  avoid  the, “What?”  response 
when  someone  comes  into  your  office  and  asks  you  a  question. 

Some  caveats:  The  idea  of  “feeling”  the  music  was  odd  —  even  with 
the  vibration  setting  at  its  lowest  level  (I  couldn’t  turn  that  feature  off), 
my  ears  would  buzz. Turning  up  the  volume  on  the  iPod  only  made  it 
worse,  and  I’d  have  to  turn  the  device  to  a  low  setting,  barely  able  to 

hear  the  music.  Also,  after  a  while,  the  carti¬ 
lage  on  my  ears  started  to 
ache.  At  $110,  these  are 
way  overpriced. 

Grade:  ★ 

Shaw  can  be  reached 
at  kshaw@nww.com. 
New  Cool  Tools  video  show 
every  Thursday  at  www.net 
workworld.com. 


Das  Keyboards  let  you  type  faster 
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Unhappy  the  FCC  supported  net  neutrality 


A  split  FCC  decided  that  Comcast  had  been 
a  bad  company  when  it  interfered  with 
specific  customer  traffic  and  told  it  to 
clean  up  its  act  in  the  future.  As  a  proponent  of 
network  neutrality  this  should  make  me  happy 
but  it  does  not. 

On  Aug.  1,FCC  commissioners  voted  3  to  2 
to  find  that  Comcast  had  violated  the  FCC’s 
Internet  Policy  Statement  by  targeting  cus¬ 
tomer  BitTorrent  traffic  and  ordered  Comcast 
to  reveal  what  it  had  been  doing,  come  up 
with  a  plan  to  stop  its  discriminatory  network 
management  practices  by  year-end,  and  tell  its  customers  what  it 
plans  to  do  in  the  way  of  nondiscriminatory  network  management 
practices  going  forward. 

In  many  ways  Comcast  had  brought  this  development  upon  itself. 
The  primary  way  was  to  lie  about  what  it  was  doing.  It’s  one  thing  for  a 
corporation  to  lie  when  it  might  be  able  to  get  away  with  it,  but  there 
was  no  chance  of  that  here  because  the  interference  was  easily 
demonstrated  by  running  a  simple  series  of  experiments  across  the 
Comcast  network.  What  Comcast  did  was  plain  dumb. 

The  company  compounded  the  problem  by  claiming  that  it  was  only 
impacting  traffic  in  times  of  congestion  —  a  claim  also  easily  disproved. 
Once  Comcast  poisoned  the  discussion  by  refusing  to  tell  the  truth,  it 
almost  did  not  matter  what  the  facts  were  —  Comcast  was  toast. 

Comcast  might  also  have  been  toast  even  if  it  had  not  lied  consider¬ 
ing  the  inability  of  the  current  chairman  of  the  FCC  to  think  clearly 
when  it  comes  to  cable  companies.  In  this  case,  the  chairman  sided 
with  the  two  Democratic  commissioners  and  against  the  two  fellow 
Republican  commissioners.The  fact  that  Comcast,  while  still  not  fully 


coming  clean  about  what  it  had  been  doing,  announced  months  ago 
that  it  was  now  working  with  the  BitTorrent  to  develop  a  better  way  to 
deal  with  BitTorrent-created  congestion  on  Comcast  networks  did  not 
stop  the  FCC’s  action. 

I  strongly  believe  that  an  Internet  without  a  neutral  network  is  not  the 
Internet  that  brought  the  technology  revolution  that  we  are  only  now 
starting.  Without  a  neutral  network,  the  Internet  would  devolve  into 
what  too  many  carriers  think  is  its  purpose  —  content  distribution 
from  big  media  companies  to  couch  potatoes.  If  there  were  real  com¬ 
petition  among  ISPs  serving  the  residential  market  then  the  competi¬ 
tion  would  likely  drive  an  open  network  without  the  need  for  govern¬ 
ment-imposed  rules.  But  we  cannot  depend  on  that  happening, so  gov¬ 
ernment  rules  may  be  the  only  answer. 

So,  why  am  I  not  happy  about  the  FCC’s  action?  Mostly  because  I  do 
not  think  it  has  the  statutory  authority  to  do  what  it  has  done.  I  also 
think  the  action  is  more  about  the  FCC  chairman’s  dislike  for  cable 
companies  than  a  systematic  definition  of  a  set  of  principles  on  what 
reasonable  network  management  would  include.  If  Comcast  decides  to 
challenge  this  order  in  court,  I  expect  the  court  will  tell  the  FCC  it  does 
not  have  the  authority  Then  the  responsibility  to  write  rules  would  fall 
back  to  the  FCC  or  Congress  —  both  of  which  create  rules  that  are 
unions  of  bad  ideas  proposed  by  lobbyists  —  rarely  do  users  count  or 
get  input. That  is  why  I’m  not  happy 

Disclaimer:  I  have  no  idea  if  Harvard  University  ,the  institution's 
happy.  I  do  know  a  lot  of  happy  people  who  work  at  Harvard,  along 
with  some  not  so  —  but  the  above  exploration  of  unhappiness  is 
mine  alone,  not  Harvard’s. 

Bradner  is  Harvard  University's  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com. 


NET  INSIDER 

Scott  Bradner 


FCC  was  right  to  tell  Comcast:  Hands  off 


Regular  readers  of  this  column  know  I  take 
a  nuanced  view  when  it  comes  to  net 
neutrality:  On  the  one  hand,  carriers 
shouldn’t  be  limiting  or  blocking  traffic  based 
on  source,  destination  or  traffic  type,  with  the 
exception  of  traffic  that  clearly  represents  a 
hazard  to  the  network  or  its  users  (such  as 
malicious  code  attacking  routers).  On  the 
other  hand,  providers  have  a  right  to  charge  dif¬ 
ferentiated  rates  for  differentiated  services,  and 
users  should  choose  whether  they  want  best 
effort,  guaranteed  delivery  or  something  in- 
between.  And  providers  should  be  able  to  charge 
heavy  users  rates  commensurate  with  their  use. 

What  I’m  unequivocal  about  is  what  Comcast  has  been  doing  to 
some  of  its  users:  blocking  BitTorrent  peer-to-peer  traffic  on  the 
grounds  that  users  were  “consuming  more  bandwidth  than  they  paid 
for?  So  I  applaud  the  FCC’s  recent  order  that  Comcast  cease  and  desist 
doing  so  by  year-end. 

Some  free  marketeers  say  this  decision  represents  an  unwarranted 
incursion  of  the  heavy  hand  of  government  regulation.  Comcast’s 
lawyers  argue  that  the  decision  impairs  Comcast’s  ability  to  manage 
its  network. 

They’re  both  wrong.  The  FCC  did  exactly 
what  it  should  have:  It  enforced  a  consumer’s 
right  to  receive  the  services  paid  for.  Users 
paid  for  high-bandwidth  connections,  which 
they  were  free  to  use  to  transmit  whatever  traf¬ 
fic  they  chose.  And  if  they  wanted  to  generate 
traffic  24/7  —  so  be  it.That’s  what  they  bought 
the  bandwidth  for. 


Even  diehard  libertarians  have  to  admit  that  one  of  the  govern¬ 
ment’s  few  roles  is  to  enforce  contracts  between  buyers  and  sellers  — 
exactly  what  the  FCC’s  doing  here.  So  the  argument  that  this  ruling 
represents  unwarranted  government  intervention  is  specious. 

As  for  Comcast’s  argument,  it’s  downright  idiotic.  If  Comcast  didn’t 
engineer  its  network  to  handle  the  traffic  loads  generated  by  its  users  — 
that’s  Comcast’s  problem.  It’s  a  bit  like  my  local  steakhouse  complaining 
that  they’re  all  out  of  filet  mignon,and  asking  me  to  accept  hamburger 
instead.  I’m  as  fond  of  a  Whopper  as  the  next  gal,  but  if  I’m  paying  for 
filet  mignon,  I  expect  to  get  it.  If  you  don’t  have  it,  don’t  offer  it. 

The  real  issue  —  as  I’ve  said  many  times  —  is  that  no  provider  makes 
money  on  access  services;  at  best  it  breaks  even.Yet  user  appetite  for 
bandwidth  (at  least  with  current  pricing  models)  is  essentially  infinite. 
So,  providers  are  pressured  into  plowing  all  their  network  infrastructure 
dollars  into  marginless  services  —  a  great  way  to  go  broke. 

There’s  another  fix,  however:  Charge  more.  Some  carriers  I’ve  spoken 
with  say  they’re  planning  to  charge  heavy  users  —  such  as  those  run¬ 
ning  BitTorrent  —  more  than  their  bandwidth-sipping  counterparts. 
That’s  a  great  idea,  and  the  FCC  shouldn’t  be  bullied  by  the  net  neu- 
tral-ites  into  denying  the  carriers  that  right.  Meantime,  the  FCC  is  right 
to  keep  carriers  from  substituting  hamburger  for  steak. 

On  a  separate  note:  The  courts  recently  ruled  that  the  fine  imposed 
by  the  FCC  on  CBS  for  Janet  Jackson’s  “wardrobe  malfunction”  was 

arbitrary,  capricious  and  wrong.  Sometimes  the 
heavy  hand  of  government  regulation  does 
need  to  be  slapped. 

Johnson  is  president  and  senior  founding  part¬ 
ner  at  Nemertes  Research,  an  independent  tech¬ 
nology  research  firm.  She  can  be  reached  at 
johna@nemertes.  com. 
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Government 

continued  from  page  1 

efforts  designed  to  bolster  cybersecurity, 
including  encrypting  data  on  laptops  and 
migrating  agencies  to  a  standard  desktop 
operating-system  configuration. 

The  nation’s  leading  carriers  —  AT&T, Level  3 
Communications,  Qwest  Communications, 
Sprint  Nextel  and  Verizon  —  are  drafting  pro¬ 
posals  due  in  mid-August  to  provide  managed 
security  services  for  the  remaining  Internet 
gateways.The  government  plans  to  award  con¬ 
tracts  in  November  to  some  or  all  of  these  car¬ 
riers  to  support  the  TIC  initiative. 

“The  federal  government  [is  under  constant] 
cyberattacks  from  foreign  entities,  and  it  needs 
to  do  something  pretty  quickly  says  Diana 
Gowen,  senior  vice  president  and  general 
manager  of  Qwest  Government  Services.  “This 
whole  TIC  initiative  has  caused  civilian  agen¬ 
cies  that,  one  could  argue,  are  not  as  security 
savvy  as  the  intelligence  community  and  the 
Defense  Department,  to  really  button  things 
up,”  she  says. 

“The  government  is  looking  for  a  way  to  con¬ 
solidate  Internet  access  to  make  it  easier  and 
more  efficient  to  apply  appropriate  security?’ 
says  Susan  Zeleniak,  vice  president  of  Verizon 
Federal.  “They  will  see  the  benefits  of  this 
immediately  she  says. 

Industry  observers  expect  the  TIC  initiative 
to  continue  regardless  of  the  winner  of  the 
election  in  November. 

Taking  inventory 

The  TIC  initiative  required  agencies  to  inven¬ 
tory  their  networks  to  identify  existing  connec¬ 
tions  to  the  public  Internet  and  trusted  busi¬ 
ness  partners.  Agencies  are  now  developing 
plans  to  consolidate  their  access  points  to  two 
or  three,  or  to  share  Internet  access  points  with 
a  larger  agency 

The  TIC  effort  does  not  require  agencies  to 
merge  their  internal  networks,  just  their 
Internet  access  points. 

Evans  says  the  OMB  was  surprised  to  discov¬ 
er  that  the  federal  government  had  more  than 
8,000  external  network  connections  —  about 
twice  what  it  expected  to  find. The  number  of 
connections  was  so  high  because  it  included 
gateways  to  business  partners,  such  as  banks, 
as  well  as  Internet  connections.“We  were  think¬ 
ing  we  would  be  around  4,000  or  5,000  exter¬ 
nal  connections,”  she  says.  “We  quickly 
dropped  that  down  to  4,500  because  all  the 
agencies  were  going  through  IT  consolidation 
efforts  anywa/ 

The  OMB  hopes  to  get  the  number  to  fewer 
than  100  by  December  2009.  Originally  the 
organization  hoped  to  get  to  fewer  than  50  but 
found  that  goal  too  aggressive.“Most  of  the  big 
agencies  are  moving  to  two  access  points,  but 
some  agencies  need  more  than  two  for  good 
business  reasons,”  Evans  says. 

Getting  the  federal  government  to  fewer  than 
100  Internet  access  points  is  reasonable,  Evans 
says.  “OMB  and  [the  Department  of  Homeland 


Security]  and  the  service  providers  believe 
there  is  no  technical  reason  why  this  can’t  be 
done.  What  we  have  to  do  now  is  work  through 
each  of  the  agencies’  access  points  to  make 
sure  they  have  redundancy  resilience  and 
failover?’ 

The  remaining  Internet  gateways  will  have  a 
standard  set  of  software  tools,  which  will  make 
security-patching  faster,  the  OMB  says.  “When 
you  have  a  standardized  configuration,  you 
can  roll  it  out  and  monitor  it  uniformly  Evans 
says.“One  of  the  big  arguments  against  the  TIC 
is  that  everybody  knows  you’ve  standardized  it, 
and  now  you’ve  made  these  access  points  tar¬ 
gets.  However,  that’s  where  you’re  investing 
resources,  including  people  with  analytical 

The  OMB  was  surprised  to 
discover  that  the  federal  gov¬ 
ernment  had  more  than  8,000 
external  network  connections 
—  about  twice  what  it  expect¬ 
ed  to  find. 

skills  who  can  take  proper  actions  if  something 
happens  at  one  of  those  access  points.” 

The  primary  benefit  of  the  TIC  is  uniformity 
of  the  federal  security  environment,  experts 
say  “The  big  surprise  with  the  TIC  is  that  there 
hadn’t  been  as  much  rigor  uniformly  applied 
across  the  government,”  says  Jeff  Mohan,  exec¬ 
utive  director  of  the  Networx  program  office  at 
AT&T.“Some  agencies  have  very  tight  controls, 
and  some  agencies  had  never  found  out  how 
many  access  points  they  had. . . .  Now  there’s  a 
general  awareness  that  cybersecurity  is  every¬ 
body’s  mission.” 

Mohan  says  the  TIC  has  helped  agencies  dis¬ 
cover  and  shut  down  rogue  portals  to  the 
Internet.  “This  also  had  agencies  looking  from 
maybe  a  little  different  perspective  on  their  net¬ 
work  architectures  and  how  they  communi¬ 
cate  to  and  from  citizens  through  the  public 
Internet,”  he  says. “With  two  portals  in  and  out 
to  the  Internet,  they  can  do  load-balancing, 
have  good  controls  and  trap  statistics.” 

On  top  of  the  standardized  configurations  at 
the  Internet  access  points,  the  carriers  will  pro¬ 
vide  around-the-clock,  managed  security  ser¬ 
vices,  such  as  predictive  traffic  analysis,  inci¬ 
dent  response  and  post-attack  forensics. 

Evans  says  the  federal  government  will  bene¬ 
fit  by  outsourcing  the  security  of  its  Internet 
connections,  because  they  have  more  exper¬ 
tise  “Because  the  agencies  will  have  the  access 
providers  looking  at  their  external  traffic,  the 
agencies  can  be  more  focused  on  internal 
types  of  things  that  will  increase  our  security 
They  can  keep  logs  and  look  at  who  is  access¬ 
ing  what  information.  They  can  move  their 
analysis  and  skill  set  to  inside  threats.” 

The  remaining  Internet  gateways  also  will 
have  sensors  that  link  into  the  federal  Einstein 
program,  which  provides  monitoring  and 


analysis  of  network  traffic  to  identify  unautho¬ 
rized  users  and  software  on  federal  networks. 
The  sensors  feed  data  to  the  U.S.  Computer 
Emergency  Readiness  Team  at  Carnegie 
Mellon  University 

Saving  money 

The  OMB  says  the  TIC  not  only  improves 
cybersecurity  posture,  but  also  saves  money 

“Because  the  federal  government  is  so  big, 
there  are  economies  that  you  get  from  manag¬ 
ing  a  set  number  of  access  points,”  Evans  says. 
“Because  we’re  all  competing  for  the  same  set 
of  resources,  as  in  personnel  resources,  it 
makes  sense  that  we  would  consolidate  and 
limit  where  we  invest  those  resources  rather 
than  having  everyone  fend  for  themselves.” 

The  OMB  says  the  TIC  is  not  costing  much 
because  agencies  were  conducting  invento¬ 
ries  of  their  network  services  already  and  plan¬ 
ning  for  the  transition  from  their  existing  WAN 
contract,  known  as  FTS-2001,  to  the  Networx 
contract,  which  will  provide  telecom  services 
for  the  next  decade. 

“There  were  two  different  activities  that  were 
under  way  so  we  capitalized  on  them,”  Evans 
says.  “One  was  an  IT  consolidation  effort.  The 
other  was  the  transition  to  Networx.  Agencies 
had  been  working  on  their  network  inventories 
for  over  three  years”  when  we  asked  them  to 
identify  their  Internet  access  points,  she  adds. 

The  federal  government  is  modifying 
Networx  contracts  to  allow  carriers  to  provide 
managed  trusted-IP  services  for  the  remaining 
Internet  access  points.  The  modification  is 
expected  to  be  done  in  November. 

The  TIC  initiative’s  biggest  impact  is  on  carri¬ 
ers,  which  will  have  fewer  opportunities  to  sell 
Internet  access  services,  but  the  connections 
they  sell  will  be  larger  and  will  come  with 
more  managed  security  services.  “We  may  sell 
fewer  pipes,  but  we’ll  sell  bigger  pipes  and  the¬ 
oretically  at  a  higher  value  to  us,”  Qwest’s 
Gowen  says.“I  see  this  as  good  for  the  carriers.” 

Verizon’s  Zeleniak  says  the  federal  IT  market 
—  including  carriers  and  network  equipment 
providers  —  are  backing  the  TIC  initiative 
because  it  makes  sense  and  is  the  right  thing  to 
do.“It’s  easy  to  perceive  the  value  of  creating  a 
unified  security  policy  and  obviously  it’s  much 
easier  to  manage  that  with  fewer  connections,” 
she  says.“I  think  all  of  us  see  the  value  in  secur¬ 
ing  the  government’s  interactions  on  the 
Internet.” 

The  TIC  offers  a  road  map  to  states,  corpora¬ 
tions  and  other  organizations  looking  to 
reduce  their  cybersecurity  risks.  Retailers  and 
companies  that  recently  have  gone  through  a 
series  of  acquisitions  may  have  more  unpro¬ 
tected  Internet  gateways  than  they  realize, 
experts  say. 

“If  you’re  T.J.  Maxx,  the  TIC  is  a  good  idea,” 
Evans  says. “It  allows  you  to  reduce  your  risks 
and  streamline  your  operations.  Configuration 
management  is  one  of  the  biggest  issues  in 
security  If  you’re  optimizing  how  you  do  con¬ 
figuration  management,  you  can  deploy  patch¬ 
es  faster,  which  makes  you  better  off.”  ■ 
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definition:  ^ 

A  ROOM  IS  A  PROGRAM  DESIGNED  1 
TO  TAKE  FUNDAMENTAL  CONTROL  (IN  UNIX 
TERMS.  ^plfiGSS)  OF  A  COMPUTER  SYS¬ 
TEM.  WITHOUT  AUTHORIZATION  BY  THE  SYS¬ 
TEM'S  OWNERS  AND  LEGITIMATE  MANAGERS. 
typicalit^Hh  ACT  T jfiiiii  THEIR 
PRESENCE  ON  THE  SYSTEM  THROUGH  SUB- 
k  VERSION  OR  EVASION  OF  STANDARD 
k  OPERATING-SYSTEM  SECURITY  A 
Mb.  MECHANISMS. 


Find  out  how  and  where 
they  hide,  what  they're 
hiding,  and  how  you  can 
(and  can't)  stop  them 


BY  DEB  RADCLIFF 

you  want  to  know  about 
w  ■  a  the  latest  malicious  rootk- 

it,  ask  security  researcher  I  \  ft 

P*  Dino  Dai  Zovi.  He'll  tell 
XX  you  all  about  his  proof-of- 

concept  rootkit  called 
Vitriol  that  uses  virtual 
machine  instructions  in  Intel 
processors  to  hide  a  rootkit  at  the  virtualization  layer. 

He  presented  this  information  at  BlackHat  2006,  the  same 
conference  at  which  Joanna  Rutkowski  demonstrated  her 
BluePill  virtual  rootkit  that  exploited  AMD  processors. 

The  good  news  is  that  neither  rootkit  has  shown  up  in  the 
wild.  And  Dai  Zovi  says  such  a  hack  is  not  imminent.  The 
bad  news:  He  says  these  hacks  haven’t  been  unleashed  on 
unsuspecting  enterprise  networks  because  existing  rootkits 
are  working  so  well  that  there’s  no  need  for  hackers  to  de¬ 
velop  more  devious  attacks. 

“If  I’m  an  attacker  and  my  user  and  kernel  rootkits  work 
80%  of  the  time,  then  why  go  create  a  virtual  rootkit,  which 
is  infinitely  harder  to  deploy?”  asks  Mike  Dalton, 

That’s  not  to  say  hackers  are  resting  on  JM 
their  laurels.  User  and  kernel-level  rootkits  Jm 
continue  to  get  more  insidious,  burrowing 
deeper  into  enterprise  networks,  hiding 
themselves  in  the  processor,  and  exploit- 
ing  multiprocessor  systems  for  gaming-  . 
based  hacks.  ‘‘sjESflESIlffl 

And  although  it’s  hard  to  say  how  preva- 
lent  rootkits  are  because  they're  so  hard  to 
find,  one  need  only  look  at  the  rate  of  root- 
kits  being  used  in  families  of  profit-driven  mal- 
ware  —  most  commonly  to  hide  remote  con- 
trailers,  keyloggers,  spambots  and  gameware.  ^Il§j 

Rootkits  of  all  evil 

“The  use  of  rootkit  technologies  is  prevalent  in  the  mal¬ 
ware  families  our  filters  are  picking  up  today,”  says  Chris¬ 
toph  Alme,  Secure  Computing’s  antimalware  team  lead. 
“Most  commonly  these  tend  to  be  spambots.  Recent  exam¬ 
ples  include  Srizbi  and  Rustock.” 

Detected  in  the  wild  in  2007,  Rustock.C  spreads  like  a  virus 


to  infect  kernel  drivers,  uses  polymorphism  (self-changing) 
to  avoid  signature  detection,  loads  and  hides  beneath 
Microsoft’s  trusted  system  driver,  and  includes  a  back  door 
Trojan  to  open  and  hide  two-way  communications  channels 
over  Port  80. 

When  analyzed  at  Rootkit.com  this  year,  Rustock.C  was 
called  the  “most  powerful  rootkit  ever  found  under  Windows” 
because  of  these  and  other  advanced  hiding  features.  The 
analysis  went  on  to  predict  that  Trojans  (back  doors)  and 
rootkits  will  ultimately  blend  into  one  malware  family. 

By  combining  such  hiding  technologies,  rootkits  such  as 

Rustock.C  can  easily  cloak  a  bot’s  existence  not  only  from 
_  t  the  system  but  from  the  network,  where  monitoring 
for  suspicious  machine  behaviors  is  the  last  line 
of  defense  in  detecting  the  presence  of  rootkit- 

“Companies  need  to  keep  Port  80  open  so 
their  employees  can  use  the  Internet.  Some 
malware  uses  that  channel  to  piggyback 
HTTP  traffic,”  Alme  says.  “HTTP  traffic 
mainly  goes  inbound  [rather  than  out- 
®  |  Kgs  bound]  over  this  port,  so  you  need  to  train 
your  filters  to  scan  outbound  HTTP  traffic 
with  your  network  gateway  appliance.” 

Hr  Malicious  traffic  also  can  piggyback  on 
accepted  outbound  traffic  —  for  example 
attaching  to  outbound  DNS  packets.  So,  Alme 
recommends  monitoring  these  types  of  outbound 
channels  for  bursts  of  traffic,  large  files  and  other  anom¬ 
alies  that  might  indicate  remote  control  commands  are 
being  sent  and  received. 

Traditionally,  detecting  a  rootkit  on  a  system  can  be  even 
more  difficult  than  detecting  rootkit-hidden  traffic  on  the 


See  Rootkits,  page  30 
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Microsoft  System  Center  is  a  family  of 
e™  i*  IT  management  solutions  (including  Operations 

a  x%  ^  Manager  and  Systems  Management  Server) 

wm  u  m,  designed  to  help  you  manage  your  mission- 

_  critical  enterprise  systems  and  applications. 
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Rootkits 

continued  from  page  28 

network  because  the  rootkit  always  had  as 
high  or  higher  privilege  than  antivirus  soft¬ 
ware,  Dalton  says. 

However,  VMware’s  recent  addition  of  anti¬ 
virus  support  with  its  VMSafe  extensions 
allows  antivirus  products  to  run  with  VMM  (vir¬ 
tual-machine  manager,  aka  hypervisor)  pro¬ 
tection,  at  higher  privilege  and  visibility  into 
the  kernel. 

“It’s  always  been  a  game  of  cat  and  mouse 
with  antivirus  looking  for  rootkits  and  rootk¬ 
its  looking  for  antivirus,  so  the  rootkit  can 
take  control  of  the  security  software  and  con¬ 
tinue  controlling  the  infected  computer,” 
Dalton  says.“Now,  by  putting  security  in  the 
Virtual  Machine  Manager,  a  kernel  rootkit 
can’t  even  find  the  security  to  disable  it.” 

Rootkit  tool  kit 

Rootkit-specific  tools,  such  as  F-Secure’s 
BlackLight  and  RootkitRevealer,  look  for 
discrepancies  between  the  kernel  system 
calls  and  direct  inspection  of  the  disk  to 
detect  hidden  files,  registry  keys  and  other 
properties,  Dai  Zovi  says.  For  example,  on  a 
Windows  machine,  they  work  by  looking 
for  discrepancies  between  Windows  Task 
Manager  process  list  and  the  internal  sys¬ 
tem  task  list.  Note,  however,  that  these  tools 
also  operate  at  a  lower  level  of  privilege 
than  the  rootkit. 

“Rootkit  defenders  running  in  user-land 
are  trying  to  do  dynamic  analysis  of  the 
machine  to  see  whether  the  machine  itself 
is  lying.  Now  does  that  sound  smart?”  asks 
Gary  McGraw,  CTO  of  Cigital,  and  editor  of 
the  book  Rootkits,  by  Greg  Hoglund  and 
James  Butler. 

Digging  deeper 

The  newest  kernel  rootkits,  containing  all 
types  of  malicious  packaging,  can  also 
jump  to  processors  and  reboot  back  into 
the  kernel  at  the  BIOS  (basic  input/output 
system)  level  —  even  after  a  computer  has 
been  cleaned  and  restored.  BIOS  is  the  first 
place  software  starts  to  run,  finds  its  start¬ 
up  routines,  such  as  Ethernet  and 
flash/ROM  BIOS  extensions. 

Dai  Zovi  says  this  type  is  called  a  “persis¬ 
tent”  rootkit.  Researcher  John  Heasman 
debuted  such  a  rootkit  at  BlackHat  ’06  that 
hides  in  the  Advanced  Configuration  and 
Power  Interface.  Heasman  has  also  discussed 
similar  techniques  against  the  System  Man¬ 
agement  Memory  which  two  researchers 
from  Clear  Hat  Consulting  were  slated  to 
demonstrate  at  last  week’s  BlackHat. 

“If  you  can  control  the  processing  on  a 
computer,  how  do  you  monetize  that?  You 
sell  bots  for  spam,  identity  theft  and  [dis¬ 
tributed  denial  of  service],”  McGraw  says. 
“But  the  most  efficient  way  to  exploit 
processors  for  money  is  in  online  games. 
This  is  where  the  cutting  edge  of  bot  tech¬ 
nology  is  being  carried  out.” 

Game  bots  are  particularly  fond  of  multi¬ 
processors  over  which  can  be  run  multiple 


threads  while  balancing  load,  continues 
McGraw,  who’s  also  co-author  of  Exploiting 
Online  Games.  The  more  games  organized 
criminals  can  play  or  steal  through  auto¬ 
mated  bot  programs,  the  more  virtual  goods 
they  can  acquire  and  sell  for  real  money 

There  are  many  paths  from  the  kernel 
that  rootkits  can  take  advantage  of  to 
exploit  the  firmware  —  boot  loaders, 
device  drivers,  flash  and  firmware  updates, 
says  Bill  Johnson,  president  and  CEO  of 
TDITX.com.  “Hardware  security  is  not 
something  most  security  technologists 
understand  well,”  he  adds.  “It’s  an  area 
they’d  better  get  familiar  with.” 

His  company’s  infrastructure  manage¬ 
ment  tool,  ConsoleWorks,  logs  and  audits 
what’s  happening  on  the  Baseboard 
Management  Controller  portion  of  the 
processor,  which  is  the  gateway  interface 
into  the  rest  of  the  processors  on  the  moth¬ 
erboard.  It  manages  this  layer  with  VPN 


TYPE  OF  ROOTKIT 

USER  MODE  Installed  by  user  action,  such  as  clicking 
phish  links  or  hitting  bad  Web  pages.  Often  include  escala¬ 
tion  of  privileges  to  gain  deeper  access  to  the  kernel. 

KERNEL  MODE  Kernel  rootkits  exist  for  all  major 
operating  systems.  In  May,  proof-of-concept  on  Cisco 
I0S  was  delivered  by  a  Gore  Security  researcher  at 
EuSecWest,  London. 


PACKAGES  Rootkits  such  as  Rustock.C  spread  like 
kernel-level  viruses  and  launch  spam  bots.  This  packag¬ 
ing  is  creating  some  confusion  as  to  what  constitutes  a 
rootkit  and  what  constitutes  a  bot  (remote  controlled 
computer). 


KERNEL  AND  HARDWARE  These  persistent 
rootkits  run  in  the  kernel  and  then  hide  themselves  in 
the  microprocessor  when  the  computer  turns  off. 
Researcher  John  Heassman's  rootkit  hides  in 
firmware's  APCI  (Advanced  Computer  and  Power 
Interface)  and  reloads  at  BIOS.  Gamebot  rootkit  pack¬ 
ages  are  using  this  technology, 


HARDWARE  ROOTKITS  Proof  of  concept  of 
rootkit  for  SMM  (System  Management  Mode,  which 
controls  basic  functions  such  as  sleep  and  fans)  sched¬ 
uled  to  be  delivered  at  BlackHat  08. 

VIRTUAL  ROOTKITS  Proof  of  concepts  such  as 
Joanna  Rutkowska's  BluePill  for  AMD  processors 
(BlackHat  06)  have  not  been  found  in  the  wild  and  are 
believed  to  be  more  trouble  than  they're  worth  because 
kernel  mode  rootkits  are  still  quite  successful. 


authentication  and  access. 

Microsoft’s  acquisition  in  March  of 
Komoku  also  is  an  indicator  of  deeper 
inspection  technologies  eventually  com¬ 
ing  to  market.  Backed  by  the  Defense 
Advanced  Research  Projects  Agency, 
Department  of  Homeland  Security  and  the 
Navy  Komoku’s  technology  and  its  brain 
trust  are  being  absorbed  by  Microsoft’s 
ForeFront  and  OneCare  antimalware  pro¬ 
jects,  says  a  Microsoft  spokesperson. 

So,  rootkit  technologies  drive  security 
deeper,  as  the  game  of  cat  chasing  mouse 
continues.  “It’s  foolish  to  believe  that  we’ll 
ever  be  able  to  make  systems  completely 
invulnerable  to  attack,”  Dai  Zovi  says. 
“However,  we  must  make  them  secure 
enough  that  attacking  them  is  not  worth¬ 
while  for  most  criminals.” 

Radcliff  is  a  freelance  writer  in  California. 
She  can  be  reached  at  deb@radcliff.com. 


!  HOW  TO  DEFEND  AGAINST  IT 

I  Make  sure  browsers  are  secure,  also  deploy  up-to-date 
|  antivirus/intrusion  prevention,  endpoint  security  and 
network  gateway  protections. 

Antivirus  has  a  hard  time  detecting  kernel  rootkits 
because  antivirus  runs  at  the  application  layer  and 
rootkits  run  with  full  control  of  the  kernel,  To  put  anti¬ 
malware  at  a  higher  level  of  privilege  than  kernel,  look 
into  Virtual  Machine  Manager-based  antimalware, 
recently  introduced  as  VMSafe  by  VMware. 

|  Tune  desktop  and  network  monitoring  tools  to  look  for 
;  signs  of  viral,  bot  and  other  malware  making  calls,  open¬ 
ing  connections  and  so  on.  Because  these  packages  can 
even  turn  off  desktop  defenses,  gateway  monitoring  is 
critical.  Watch  for  anomalous  inbound  and  especially  any 
i  outbound  behavior.  Also  look  for  encrypted  traffic,  which 
controllers  use  to  run  bot  commands  over  IRC. 

At  this  level,  current  endpoint  security  technologies  are 
not  useful;  and  cleaning  is  difficult  because  the  rootkit 
reinstalls  at  pre-boot  when  the  machine  powers  on. 
Technologies  like  Intel's  Trusted  Platform  Module  Trusted 
j  Boot  Process  are  doing  cryptographic  signing  of  loaded 
|  boot  drivers  to  and  from  the  kernel.  However,  it  will  be 
!  years  until  enough  processors  are  replaced  or  intro- 
|  duced  in  new  systems  to  make  a  difference. 

|  Move  monitoring  and  diagnostics  down  to  the  processor. 
;  There  is  some  market  movement  in  this  direction  with  a 
|  recent  Microsoft  acquisition  and  network  diagnostics 
;  looking  at  this  layer. 

|  Novell  and  other  virtual  machine  providers  have  man- 
|  agement  tools  that  can  catch  rogue  machines.  So  can 
i  virtual  machine  antivirus,  such  as  VMSafe. 

i 
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Rootkit-ology 

A  list  of  where,  what  and  how  rootkits  hide,  and  what  protections  apply 
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CLEAR  CHOICE  TEST 


ENTERPRISE  FIREWALL 


Palo  Alto  provides  great  visibility 
into  network  threats 

The  PA-4020  is  an  innovative  twist  on  traditional  firewall 


BY  JOEL  SNYDER,  NETWORK  WORLD  LAB  ALLIANCE 

Palo  Alto  Networks’  PA-4020  is  not  just  another  firewall.Yes,  it  has 
what  you  would  expect  in  a  basic  firewall:  24  ports,  divided  into 
16  Gigabit  Ethernet  ports  and  eight  small  form-factor  pluggable 
ports.lt  has  a  rule  base,  some  basic  VPN  capabilities  and  a  Web- 
based  management  interface.  If  the  description  ended  there,  Palo  Alto 
would  not  likely  make  any  headway  into  the  enterprise  firewall  busi¬ 
ness,  which  is  already  carved  up  between  Check  Point  Software,  Cisco 
and  Juniper  Networks. 

Palo  Alto’s  secret  sauce  lies  in  the  visibility  it  provides.  Most  firewalls 
do  what  they  do  and  provide  little  information  (other  than  logs)  about 
what  they’re  seeing.The  Palo  Alto  PA-4020  has  a  much  greater  focus  on 
exposing  the  application-layer  traffic,  and  then  giving  the  network  man¬ 
ager  visibility  into  the  traffic  and  threats  in  the  network. 

In  this  Clear  Choice  Test,  we  found  the  PA-4020  to  be  an  innovative 
turn  on  the  traditional  firewall.  (See  “Does  Palo  Alto  make  an  enterprise 
firewall?”  at  www.nwdocfinder.com/6122.)  By  looking  at  application 
data  streams  rather  than  TCP/IP  port  numbers,  the  PA4020  provides  a 
more  detailed  control  over  user  Internet  usage  than  has  previously 
been  available  in  any  firewall. The  PA-4020  also  leverages  this  applica¬ 
tion  knowledge  to  provide  unprecedented  (for  a  firewall)  levels  of  vis¬ 
ibility  into  network  traffic. 

That  said,  we  found  the  PA4020  to  still  be  a  work  in  progress. 
Weaknesses  in  areas  such  as  bandwidth  management  and  virus  scan¬ 
ning  mean  that  it  can’t  fully  replace  the  combination  of  a  firewall  and 
Web  security  gateway  —  yet.  (See  “Why  Palo  Alto  won’t  say  the  UTM 
word”  at  www.nwdocfinder.com/6123.) 

What’s  it  all  about 

Palo  Alto  says  PA4020  (like  all  of  the  company’s  firewalls)  does  some¬ 
thing  that  no  other  firewall  can  do:  control  based  on  application  rather 
than  on  port  number.  For  traffic  coming  into  an  enterprise,  that’s  not 
very  interesting,  because  most  network  managers  know  for  which  appli¬ 
cations  they’re  opening  holes  in  the  firewall.  However,  when  it  comes  to 
outbound  traffic,  network  managers  haven’t  had  that  vital  visibility 
The  alternatives,  up  to  now,  have  been  slim.  Either  run  with  a  default 
outbound  allow  policy  and  have  no  idea  what  people  are  really  doing 
or  block  all  outgoing  traffic  and  force  users  through  proxies  that  can 
control  and  log  what’s  happening. 

Palo  Alto  changes  the  game  by  letting  you  write  your  firewall  rules 
based  on  the  applications  you  want  to  control.  The  familiar  firewall 
rules  page  is  changed  in  a  subtle  but  very  important  way: You  get  one 
more  column  called  “application.”  To  block  outbound  Simple  Mail 
Transfer  Protocol  (SMTP)  from  everyone  other  than  your  mail  server 
rather  than  specify  Port  25  (which  will  catch  some,  but  not  all  SMTP), 
you  could  simply  block  the  application  SMTPWe  tested  the  PA4020  and 
it  found  SMTP  on  nonstandard  ports  without  a  problem. 

The  PA4020  we  tested  had  information  about  638  applications 
loaded  into  it  (see  “How  we  did  it,”  at  www.nwdocfinder.com/6124). 
Those  applications  ranged  from  obvious  protocol-based  ones 
(Session  Initiation  Protocol  and  FTP)  to  browser-based  programs 
(Facebook,  SharePoint  and  PokerStars)  to  client-server  applications 
(World  of  Warcraft,  VMware  and  SSH)  to  peer-to-peer  code 
(BitTorrent  and  Gnutella). 

We  tested  a  selection  of  applications  on  the  PA4020  and  found  that  it 
works  —  most  of  the  time  —  and  for  the  things  you  probably  care 
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Product  PA-4020  firewall 

Vendor  Palo  Alto  Net  works 

www.paloaltonetworks.com/ 

Price  Starts  at  $35,000.  One-year  threat  protection, 
$7,000;  one-year  URL  filtering,  $7,000. 

Pros  Application-specific  knowledge  provides  greater 
detail  on  outbound  controls;  management  sys¬ 
tem  offers  view  into  users,  applications  and 
bandwidth  to  provide  greater  visibility  into  net¬ 
work  use;  opportunity  to  replace  combination  of 
outbound  firewall  and  Web  security  gateway  sim¬ 
plifies  deployment  and  increases  performance; 
outstanding  intrusion-prevention  catch  rate. 

Firewall  features  still  immature;  antivirus  not  up 
to  par. 


Cons 

Score 


3.7 


SCORECARD 

Action 

Weight 

Firewall  feature  set 

20% 

4 

Management 

20% 

4 

VPN 

15% 

3 

Ffardware  architecture 

10% 

4.5 

Intrusion  prevention 

10% 

4.5 

Antivirus 

10% 

3 

Routing 

5% 

3.5 

IPv6  support 

5% 

2 

Power  efficiency 

5% 

4.5 

Total  score 

3.7 

Scoring  key:  5:  Exceptional;  4:  Very  good;  3:  Average;  2:  Below  average;  1: 

Subpar  or  not  available. 

i  a  mmmmm 

about. We  tried  a  basic  test  of  allowing  all  outbound  traffic  but  blocking 
BitTorrent  and  Skype.That  worked  fine;  the  PA4020  identified  both  of 
those  applications  and  effectively  blocked  them.  Then,  we  tried  allow¬ 
ing  all  Web  browsing  but  blocking  Web  mail  services.The  PA4020  suc¬ 
cessfully  identified  and  blocked  nine  Web  mail  services,  including 
some  large  public  services  such  as  Yahoo  and  Google's  Web  mail  but 
also  other  privately  run  Web  mail  gateways. 

Additional  tests,  though,  showed  several  false  positives.  For  example, 
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CLEAR  CHOICE  TEST  ENTERPRISE  FIREWALL 


some  of  our  tests  to  Yahoo’s  pages  triggered  the  PA-4020  to  block  us, 
because  it  identified  the  application  as  an  instant-messaging  applica¬ 
tion  (Yahoo  Web  Messenger)  rather  than  a  simple  Web  page  —  but  not 
consistently. 

We  also  ran  into  issues  when  we  tested  the  Microsoft  and  Apple 
update  services. We  wanted  to  allow  servers  to  get  these  updates  but  not 
to  allow  general  Web  browsing.That’s  hard  to  do  on  a  conventional  fire¬ 
wall,  because  the  update  servers  don’t  use  fixed  IP  addresses,  and  thus 
there’s  no  way  to  write  a  firewall  rule  to  allow  update  traffic  but  block 
all  others.  The  PA-4020  got  halfway  through  this  test  by  successfully 
identifying  the  update  traffic,  but  ultimately  failed  the  test  by  lumping  in 
the  download  traffic  with  other  Web  browsing.  This  means  you  could 
use  a  PA-4020  to  block  update  traffic,  for  example,  if  you  wanted  to  force 
servers  to  only  use  your  own  update  server.  But  you  can’t  allow  update 
traffic  without  also  allowing  Web  browsing. 

The  encryption  question 

We  can’t  ignore  the  obvious  question:  What  about  encryption?  If 
the  traffic  through  the  firewall  is  encrypted,  then  the  PA-4020  can’t 
identify  what’s  inside.  There’s  no  true  solution  to  the  problem,  but 
Palo  Alto  has  implemented  what  most  security  analysts  feel  is  a 
good  second  choice:  a  man-in-the-middle  decryption  for  secure- 
HTTP  traffic.The  PA-4020  intercepts  encrypted  Web  connections  and 
makes  up  its  own  digital  certificate  on  the  fly  to  match  the  one  at  the 
destination  of  the  connection.  If  you  use  this  technique,  you’ll  have 
to  give  the  PA-4020  a  signing  certificate  that’s  trusted  by  the  Web 
browsers  on  your  LAN  to  avoid  having  a  message  pop  up  every  time 
the  user  hits  an  encrypted  Web  page. You  can  create  a  policy  on  the 
PA-4020  to  only  decrypt  certain  types  of  URLs  or  to  exempt  some 
URLs  from  decryption  (such  as  banking  sites).  A  nice  feature  is  that 
the  PA-4020  can  optionally  put  up  an  interstitial  page  that  lets  users 
opt  out  of  having  their  SSL  decrypted. 

One  confusing  thing  about  the  PA-4020  is  that  it  also  includes 
SurfControl’s  URL  filtering  capability  —  which  automatically  turns  on 
SSL  decryption,  even  though  you  may  not  have  enabled  it  in  the  policy 
(Palo  Alto  says  this  will  be  controllable  in  a  future  release.)  Some  of  the 
URL  filtering  capabilities  overlap  with  the  application  detection  capa¬ 
bilities.  Web  mail  is  a  good  example:You  can  block  Web  mail  using  the 
sophisticated  application  detection  of  the  PA-4020,  and  hopefully  get  all 
Web  mail  sites.  Or  you  can  use  plain  old  URL  filtering,  which  would 
have  a  different  set  of  false  positives  and  false  negatives. 

Not  just  control,  also  visibility 

Most  firewalls  generate  traffic  logs.  Because  the  PA4020  has  greater 
visibility  into  the  traffic  passing  through  it  (or  past  it — you  can  set  inter¬ 
faces  on  the  PA-4020  to  act  as  intrusion-detection  system  taps  as  well  as 
firewall  interfaces),  the  logs  out  of  the  PA4020  have  correspondingly 
more  information  about  what  is  happening  on  the  network.  Each  traffic 
log  message  also  includes  the  application  being  used  (if  the  PA4020 
can  identify  it).  An  additional  feature  of  the  PA4020,  which  we  did  not 
test,  can  correlate  traffic  information  with  Windows  Active  Directory 
user  information. That  adds  up  to  a  lot  of  useful  data. 

To  help  sift  through  the  information,  the  PA4020  includes  both  a  log 
browser  and  a  report-writing  tool.  We  ran  these  directly  on  the  PA4020 
system,  which  has  an  internal  hard  drive  to  store  logs.  As  an  alternative, 
Palo  Alto  offers  an  external  management  tool  (we  did  not  test  this)  to 
handle  multiple  firewalls  and  aggregate  their  logs. 

We  spent  a  lot  of  time  using  the  log  browser  to  dig  through  traffic  and 
threat  logs  to  see  what  the  PA4020  was  and  wasn’t  detecting.  While  it’s 
easy  to  find  fault  with  the  tools  we  had  from  Palo  Alto,  no  other  firewall 
we’ve  tested  made  it  this  easy  to  find  out  what  was  happening  on  our 
network,  either  from  the  general  traffic  point  of  view  or  when  seeking 
out  genuine  threats. 

At  this  stage  in  the  product’s  life  cycle,  the  PA4020  has  a  long  way  to 
go  before  it  will  be  a  full-fledged  forensics  tool.  Navigation  through  the 
data  set  is  cumbersome  and  slow;  it’s  impossible  to  jump  from  sum- 
maty  to  detailed  views;  DNS  lookups  aren’t  applied  consistently;  you 


The  Palo  Alto  PA-4020  provides  basic  firewalling  capabili¬ 
ties,  but  its  strength  lies  in  its  ability  to  provide  a  high  level 
of  visibility  into  the  streams  flowing  through  it. 

can’t  use  wildcards  in  some  fields;  and  queries  get  lost  when  moving 
between  screens. But  fora  first  pass, the  monitoring, reporting  and  appli¬ 
cation  investigation  tools  are  more  useful  than  any  other  firewall  offers 
on  a  system-resident  Web  interface. 

It’s  fair  to  characterize  the  PA4020  visibility  tools  as  a  first  taste  of  what 
could  be  done  with  the  information  available.  If  the  PA4020  is  com¬ 
pared  with  a  pure  intrusion  prevention/detection  system  (IPS/IDS), 
then  the  logging  and  browsing  tools  are  immature  and  lacking  serious 
functionality  But  when  you  consider  the  combination  of  firewall  and 
application  logs,  IPS/IDS  logs,  antivirus/antispyware  logs  and  URL  filter¬ 
ing  logs,  there’s  a  powerful  pile  of  visibility  information  not  available  in 
a  typical  IPS,  IDS  or  firewall.  Not  everything  you  would  want  is  there.  For 
example,  traffic  information  isn’t  broken  out  by  direction,  and  when  a 
threat  is  logged,  such  as  a  virus  or  IDS  alert,  you  don’t  get  very  much 
information  about  the  threat.  But  even  with  missing  pieces,  we  found 
that  the  PA4020  offers  a  unified  and  clear  —  if  somewhat  clumsy  — 
view  into  traffic  and  threats  on  a  network. 

The  PA4020  will  fit  well  into  many  network  topologies,  because  the 
device  can  act  as  a  Layer  2  bridge  or  as  a  Layer  3  router  (although  only 
IPv4  is  supported  in  the  version  we  tested;  IPv6  is  targeted  for  the  first 
half  of  2009).  When  in  Layer  3  mode,  features  such  as  network  address 
translation  also  are  available.  Routing  functionality  is  limited  in  this 
release  to  static  routes  and  Routing  Information  Protocol  and  Open 
Shortest  Path  First  routing  protocols.  The  PA4020  includes  virtual 
routers  and  virtual  systems,  which  would  make  it  easy  to  carve  the  PA- 
4020  into  smaller  pieces  to  serve  multiple  departments  within  an  orga¬ 
nization,  even  ones  with  conflicting  IP  address  space.  With  24  Gigabit 
Ethernet  ports,  there’s  plenty  of  firewall  to  go  around. 

Palo  Alto  manages  to  do  all  this  with  heavily  customized  hardware. 
This  isn’t  a  standard  Intel  PC  with  Linux  on  it;  Palo  Alto  builds  its  own 
hardware,  which  helps  keep  its  power  consumption  down  to  a  miserly 
1 .9  Amps. 

There  is  one  big  gap  in  the  PA4020’s  capabilities  at  this  juncture  in  that 
there  is  no  ability  to  apply  QoS  controls  and  bandwidth  limits.  The  PA- 
4020  can  label  traffic  based  on  application  so  that  other  devices  can  pro¬ 
vide  bandwidth  limits,  but  does  not  do  even  rudimentary  limiting  (other 
than  outright  blocking)  of  applications.  Palo  Alto  says  this  feature  will  be 
available  in  the  first  half  of  2009  and  will  be  hardware  accelerated. 

Are  the  issues  we  found  killer  problems  with  the  PA4020?  No,  defi¬ 
nitely  not.This  product  is  fresh  out  of  the  gate,  and  some  rough  spots  are 
expected.  If  you  are  attracted  to  the  idea  of  controlling  outbound 
access  with  a  firewall  rather  than  forcing  traffic  through  a  proxy  you’ll 
still  think  that  the  PA4020  has  a  lot  to  offer.  Overall,  enterprise  network 
managers  who  need  additional  visibility  and  controls  over  employee 
Internet  access  will  find  the  PA4020  a  valuable  tool  that  goes  beyond 
traditional  firewalls. 

Snyder  is  senior  partner  with  Opus  One  in  Tucson,  Ariz.  He  can  be 
reached  at  Joel.Snyder@opusl.com. 

■  Independent,  unbiased  product  testing. 

Go  online  for  Network  World's  ethical  testing  policy 

www.networkworld.com/reviews 
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STUFF 


HAPPENS. 


No  matter  where  you  are 
or  what  you’re  doing,  something  or 
someone  can  compromise  your  DNS. 
Be  the  first  to  know  about  your  domain 
or  email  problem,  especially  when 
your  business  depends  on  it. 

■1  DNSstuff.com 

CLICK.  CHECK.  RESOLVE. 


Alert  services  that  work  for  you 
24/7/365 

DNSalerts  (domain  monitoring) 
RBLalerts  (email  blacklist  monitoring) 

■  Put  our  alerts  to  the  test  -  FREE! 
Select:  Promo  Pack  |  Alert  Combo  2  month 
Coupon  code:  NWWALERT 


g  How 
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Do  You  Distribute 
in  Your  Data 
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Server  Technology 

Solutions  for  the  Data  Center  Equipment  Cabinet 

Basic  CDU 

>  Reliable  &  Economical 

Metered  CDU 

>  Local  Input  Current  Monitoring 

>  Simple  3-Phase  Load  Balancing 

Smart  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temp.  &  Humidity  Probes 

>  Secure  IP  &  Serial  Monitoring  of  Power, 
Temperature  &  Humidity 

Switched  CDU 

>  Local  Input  Current  Monitoring 

>  Supports  External  Temp.  &  Humidity  Probes 

>  Secure  IP  &  Serial  Monitoring  of  Power, 
Temperature  &  Humidity 

>  Remote  Power  Control  for  Each  Outlet: 
ON/OFF/Reboot  with  Graceful  Server  Shutdown 

>  Smart  Load  Shedding 

>  kW  per  In-Feed,  Per  Cabinet,  or  Per  Square  Feet 


©Server  Technology,  Inc.  Sentry  is  a  trademark  of  Server  Technology,  Inc. 


Server  Technology,  Inc. 

1040  Sandhill  Drive  tf  +1.800.835.1515 

Reno,  NV  89521— USA  tel  +1.775.284.2000 

www.servertech.com 
www.servertechblog.com 


fax  +1.775.284.2065 
sales@servertech.com 


CUSTOMIZED 

POWER  &  MONITORING  SOLUTIONS 


QUALITY  ASSURED 


Geist  products  are  built  to  order  and  made  in  the  USA.  We  use 
one  piece  flow  and  in-process  quality  inspection  to  guarantee 
each  unit  is  individually  examined.  Geist  operates  a  state-of-the-art 
testing  lab,  supervised  by  an  in-house  conformance  engineer.  By 
having  this  facility  within  Geist,  we  are  able  to  ensure  regulatory 
compliance  for  all  of  our  products  including  custom  units. 


Get  started  creating  your  ideal  power  and  monitoring  solution 


Instantly  Search  Terabytes  of  Text 


*  dtSearch  "searches  at  blazing 
speeds"  -  Computer  Reseller  News 

Test  Center 

Contact  dtSearch  for  see  www.dtsearch.com  for  hundreds 

fully-functional  evaluations  more  reviews,  and  hundreds  of 
,m— m nine..'-  — «»-  developer  case  studies 


♦  dozens  of  indexed,  unindexed,  fielded 
data  and  full-text  search  options 
(including  Unicode  support  for 
hundreds  of  international  languages) 

♦  file  parsers  /  converters  for 
hit-highlighted  display  of  all  popular 
file  types 

♦  Spider  supports  static  and  dynamic  web 
data;  highlights  hits  while  displaying 
links,  formatting  and  images  intact 

♦  API  supports  .NET,  C++,  Java,  databases, 
etc.  New  .NET  Spider  API 


The  Smart  Choice  for 
Text  Retrieval®  since  1991 


♦  "Bottom  line:  dtSearch  manages  a 
terabyte  of  text  in  a  single  index 
and  returns  results  in  less  than  a 
second"  -  InfoWorld 


♦"For  combing  through  large 
amounts  of  data,"  dtSearch  "leads 
the  market"  -  Network  Computing 

♦  dtSearch  "covers  all  data  sources ... 
powerful  Web-based  engines" 

-  eWEEK 
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NEWS  ANALYSIS 


Cloud  service  offers  network  security 


BY  JEREMY  KIRK,  IDG  NEWS  SERVICE 

A  network  service  that  traps  more  mali¬ 
cious  software  than  a  single  antivirus  pro¬ 
gram  catches  by  itself  could  be  the  next 
weapon  used  to  fight  Internet  threats. 

The  researchers  from  the  University  of 
Michigan  who  developed  the  CloudAV  service 
contend  that  antivirus  programs  don’t  detect  a 
substantial  percentage  of  malware.  In  addi¬ 
tion,  there’s  a  time  lag  between  when  a  threat 
appears  and  when  the  antivirus  program  is 
updated  to  detect  it,  they  say 

Security  experts  warn  that  people  should 
use  antivirus  products,  but  that  the  programs’ 
effectiveness  is  slowly  diminishing  with  an 
ever-increasing  rise  in  malicious  software. 

The  researchers’  method  uses  the  cloud¬ 
computing  concept,  where  the  processing  of  a 
task  is  performed  on  a  remote  server  and  the 
result  is  returned  to  a  PC  or  a  mobile  device. 

CloudAV  uses  a  muscular  approach,  com¬ 
bining  10  antivirus  engines  and  two  behav¬ 
ioral-detection  ones  into  one  service.  The 
researchers  took  a  cue  from  “N-version  pro¬ 
gramming,”  a  method  in  which  different  soft¬ 
ware  implementations  are  used  to  ensure  the 
reliability  of  such  services  as  file  systems. 

“Antivirus  engines  have  complementary 
detection  capabilities,  and  a  combination  of 


many  different  engines  can  improve  the  over¬ 
all  identification  of  malicious  and  unwanted 
software,”  according  to  CloudAV  “This  model 
enables  identification  of  malicious  and 
unwanted  software  by  multiple,  heteroge¬ 
neous  detection  engines  in  parallel,  a  tech¬ 
nique  we  term  N-version  protection.” 

To  use  CloudAV, a  host  agent  is  installed  on  a 
PC  running  either  Windows,  Linux  or  the 
FreeBSD  operating  systems.The  agent  can  also 
be  installed  on  a  mobile  device. 


ONLINE:  Software-as-a-service 
and  cloud  computing 

The  software-as-a-service  market  is 
heating  up.  SaugatuckTechnology 
research  shows  that  between  2009  and 
2012,  at  least  40%  of  mid-to-large  enter¬ 
prises  will  evaluate  SaaS-based  “core” 
financial  systems.  Find  out  more  by 
attending  IT  Roadmap:  Dallas  on  Sept. 
23.  Qualify  to  attend  free  at: 
www.nwdocfinder.com/5731 


The  agent  monitors  new  files  and  pro¬ 
grams  that  are  written  to  disk.  A  cache  is 
created  of  previously  analyzed  files  to 
reduce  load  on  the  network.  New  files  not 
recognized  in  the  local  cache  are  sent  to 
the  network.  CloudAV  can  compare  it  with 
its  cache  or  run  an  analysis,  which  takes 
around  1.3  seconds. 

During  six  months  of  testing,  CloudAV 
detected  98%  of  some  7,220  malware  sam¬ 
ples  researchers  ran  against  it.  A  single 
detection  engine  gets  only  83%,  the  re¬ 
searchers  wrote. 

The  antivirus  engines  used  by  CloudAV  are 
Avast,  AVG,  BitDefender,  ClamAV,  F-Prot,  F- 
Secure,  Kaspersky,  McAfee,  Symantec  and 
Trend  Micro  —  plus  two  behavioral  detection 
engines,  Norman  Solutions’  Sandbox  and 
Sunbelt  Software’s  CWSandbox. 

The  researchers  caution  that  such  network 
services  as  CloudAV  won’t  replace  antivirus  or 
intrusion-detection  software,  but  could  be 
used  in  combination  to  create  a  better 
defense  against  malware. 

The  research  paper  was  authored  by  Jon 
Oberheide,  Evan  Cooke  and  Farnam  Jahanian 
of  the  Electrical  Engineering  and  Computer 
Science  Department  at  the  University  of 
Michigan.  ■ 


Applications 

continued  from  page  12 

across  a  LAN.  For  instance,  DNS  servers  could 
route  application  traffic  down  different  paths, 
causing  slowdowns  for  some  users  while  oth¬ 
ers  experience  no  change  in  service. 

“If  DNS  is  not  set  up  properly  applications 
will  run  pitifully  slow  because  anything  talking 
across  the  network  is  talking  to  it  by  name.  If 
the  name  is  not  accurate,  the  IP  address  can¬ 
not  be  resolved  and  traffic  will  come  to  a  halt,” 
says  Glenn  O’Donnell,  a  senior  analyst  at 
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Forrester  Research 

One  solution  is  to  implement  a  combination 
of  application-dependency-mapping  and  con¬ 
figuration-management  tools.  These  can  help 
network  managers  understand  which  servers 
applications  to  use  to  fulfill  requests,  and  track 
how  configurations  might  have  changed  or 
may  differ  among  resources,  leading  to  a 
slowdown. 

“The  brightest  sleuths  are  often  assigned  to 
find  these  [configuration  errors],  but  even 
they  are  now  becoming  overwhelmed  by  the 
complexity  It  can  take  a  number  of  days  to 
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hunt  the  problem  down, and  that  can  become 
time  consuming  and  expensive,”  O’Donnell 
says.“We  need  to  come  up  with  better  model¬ 
ing  tools  to  analyze  all  of  the  possible  combi¬ 
nations  of  configuration  settings.  The  needle 
keeps  moving,  and  the  haystack  keeps  getting 
bigger” 

Aside  from  pinpointing  the  initial  cause  of  a 
configuration  error  and  correcting  it,  network 
managers  should  be  establishing  rigid  change- 
and  configuration-management  policies 
(such  as  those  detailed  in  ITIL)  to  make  sure 
unauthorized  changes  don’t  result  in  major 
outages  later  on. 

“If  an  organization  has  well-defined  problem 
and  incident-management  processes,  they  can 
quickly  detect  a  problem  they  haven’t  seen 
before  and  work  to  define  how  to  handle  it  the 
next  time  it  occurs,”  Ptak,  Noel’s  Noel  says. 
“Invariably  the  problem  will  happen  again  — 
maybe  not  tomorrow,  but  when  everyone  has 
completely  forgotten  about  it.  If  the  proper 
processes  are  in  place,  organizations  can  use 
proven  methods  to  resolve  such  errors  and 
even  work  to  the  fixes  with  tools."  ■ 
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E-discovery:  turning  you  into  an  actuary 


Mark  Gibbs 


n  actuary  is  defined  as  “an  adviser  on 
financial  questions  involving  probabilities 
i  relating  to  mortality  and  other  contingen¬ 
cies.”  So,  do  you  know  the  old  joke  about  actu¬ 
aries?  No,  not  the  one  about  how  they  are 
BACKSPIN  accountants  who  found  accountancy  too 

exciting.  I  mean  the  one  that  defines  actuaries 
as  the  guys  who  come  down  from  the  hills  after 
the  battle  to  kill  the  wounded  to  make  them 
easier  to  classify  Don’t  laugh:  If  you  are  going  to  protect  your  organiza¬ 
tion,  you  are  destined  to  become  actuaries. 

What  got  me  thinking  about  this  is  the  issue  of  electronic  discovery 
(also  called,  rather  irritatingly  e-discovery).  Much  has  been  written 
about  this  topic  over  the  last  few  years,  and  many  acres  of  crushed 
dead  trees  have  been  smeared  with  ink  on  the  subject. 

Before  I  launch  into  my  main  thrust,  let’s  just  look  at  what  e-discovery 
is.  Let’s  say  you  are  a  midsize  or  larger  corporation  (as  you  probably 
are,  given  you’re  reading  Network  World),  and  someone  decides  to  sue 
you  (which,  given  the  way  the  world  is  today  is  a  question  of  when,  not 
if). The  claimant  contends  that  whatever  it  is  you  are  supposed  to  have 
done  is  documented  in  your  corporate  data  —  in  your  e-mail  and  files. 
They  can  demand  you  turn  over  your  data  as  part  of  the  process  of 
finding  evidence  —  the  discovery  phase  —  and  should  you  fail  to  do 
so  in  a  timely  fashion, you  will  face  potentially  serious  fines. 

The  chaps  at  StoredlQ,  a  company  that  specializes  in  providing  infra¬ 
structure  for  e-discovery  say  that,  given  the  high  cost  of  what  they  call 
reactive  e-discovery  —  adopting  e-discovery  processes  and  policies 
after  someone  starts  to  sue  you  —  more  companies  are  proactively 
getting  their  data  ducks  in  a  row  in  preparation  for  the  inevitable. 

Here’s  the  thing:  If  you  take  proactive  e-discovery  to  heart,  if  you 


view  it  as  a  strategic  element  of  your  IT  plans  and  as  a  kind  of  insur¬ 
ance  plan,  it  doesn’t  just  solve  the  e-discovery  problem,  it  also  sends 
you  down  a  completely  new  path  of  IT  thinking. 

For  a  start,  you  have  to  know  exactly  and  in  detail  the  IT  resources 
you  own.  Depending  on  what  figures  you  believe,  for  roughly  half  of 
you,  that  is  merely  a  pipe  dream.  One  survey  by  PacketTrap  Networks 
found  that  54%  of  respondents  had  no  network  management  system 
at  all.  Without  an  NMS  you  can’t  possibly  know  what  you’ve  got,  where 
it  is,  what  it  is  doing  or  whether  it  even  works. 

So,  adopting  e-discovery  means  you  have  an  NMS  and  you  inventory 
your  resources.You  then  have  to  establish  what  data  lives  where  and 
what  it  is  doing. You  then  define  retention  rules,  archive  the  data  that 
needs  to  be  preserved  by  law  and  for  corporate  continuity  and  run 
regular  audits  to  ensure  the  organization  is  complying  with  and  main¬ 
taining  your  systems  and  standards. 

But  where  do  you  stop?  If  you  were  to  do  all  that  1  just  suggested, 
you’d  need  to  spend  something  like  the  gross  national  product  of  Chile 
to  get  the  job  done.  What  you  have  to  fall  back  on  is  doing  as  much  as 
you  can  for  a  cost  that  maximizes  payback  and  minimizes  risk. 

So,  before  you  go  to  management  looking  for  a  budget  to  make  this 
happen  you’ll  need  to  work  out  a  cost-benefit  analysis,  the  risk  factors, 
the  ROI.and  the  intangible  and  tangible  benefits.  In  fact,  you’re  going 
to  wind  up  looking  and  sounding  like  an  actuary 

Never  fear,  if  you  get  what  you  want,  the  first  time  your  organization 
gets  sued  and  you  handle  e<iiscovery  with  a  legally  tenable  response 
in  a  timely  fashion  and  for  minimal  cost,  you  will  look  far  more  like  a 
hero  than  an  actuary  Then  let’s  see  them  make  a  joke  about  you. 

Gibbs  is  very  serious  in  Ventura,  Calif.  Your  gravitas  to 
backspin  @gibbs.  com. 


Circuit  City,  ‘Mad’ 

Trust  me, I’ll  connect  the  dots.  About  10 
days  ago,  someone  at  Circuit  City  spots  a 
“Mad”  magazine  parody  of  their  belea¬ 
guered  company  and  dashes  off  a  memo 
demanding  that  all  copies  of  the  periodical  be 
purged  from  the  electronics  chain’s  shelves. 

I  already  know  that  you’re  thinking  two  things: 
“‘Mad’  magazine  still  publishes?”  and  “They  sell 
it  at  Circuit  City?” 

Seems  both  are  the  case.  The  missive  from 
corporate  read: “Immediately  remove  all  issues  and  copies  of  Mad 
Magazine  from  your  sales  floor.  Destroy  all  copies  and  throw  them 
away. They  are  not  inventoried,  and  your  store  will  not  incur 
shrink.  Thank  you  for  your  immediate  attention  to  this.” 

Little  did  the  exec  know  that  the  directive  would  wind  up  on  a 
rat-out-the-rats  Web  site  called  The  Consumerist.  It  did,  which  sent 
me  to  Circuit  City  public  relations  looking  for  an  explanation. 

Here’s  what  I  received  from  company  spokesman  Jim  Babb: 

“I  became  aware  of  this  situation  only  this  morning,  and  1  have 
sent  a  note  today  to  the  editors  of  Mad  Magazine.  Speaking  as  an 
embarrassed  corporate  PR  Guy,  I  apologized  for  the  fact  that  some 
overly  sensitive  souls  at  our  corporate  headquarters  ordered  the 
removal  of  the  August  issue  of  MAD  Magazine  from  our  stores. 

Please  keep  in  mind  that  only  40  of  our  700  stores  sell  magazines 
at  all.  We  apologize  for  the  knee-jerk  reaction,  and  have  issued  a 
retraction  order;  the  affected  stores  are  being  directed  to  put  the 
magazines  back  on  sale.” 

But  Babb  wasn’t  done  there:  “As  a  gesture  of  our  apology  and 
deep  respect  for  the  folks  at  MAD  Magazine,  we  are  creating  a 
cross-departmental  task  force  to  study  the  importance  of  humor  in 
the  corporate  workplace  and  expect  the  resulting  Powerpoint  pre- 
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magazine  and  Streisand 

sentation  to  top  out  at  least  300  pages,  chock  full  of  charts,  graphs 
and  company  action  plans. ...  In  addition  I  have  offered  to  send 
the  Mad  Magazine  editor  a  $20  Circuit  City  Gift  Card,  toward  the 
purchase  of  a  Nintendo  Wii  —  if  he  can  find  one!” 

That’s  about  the  best  you  can  expect,  as  damage  control  goes. 

Which  brings  us  around  to  Barbara  Streisand.  Did  you  know 
there’s  a  name  for  this  phenomenon  —  increasingly  common  — 
of  seeing  the  effort  to  suppress  some  bit  of  embarrassing  or  pro¬ 
prietary  news  backfire  on  the  suppressor?  It’s  called  The  Streisand 
Effect.  (Yes,  that  was  a  new  one  on  me,  too.) 

From  Wikipedia:  “The  term  Streisand  effect  originally  referred  to 
a  2003  incident  in  which  Barbra  Streisand  sued  photographer 
Kenneth  Adelman  and  Pictopia.com  for  $50  million  in  an  attempt 
to  have  the  aerial  photo  of  her  house  removed  from  the  publicly 
available  collection  of  12,000  California  coastline  photographs,  cit¬ 
ing  privacy  concerns.  Adelman  claims  he  was  photographing 
beachfront  property  to  document  coastal  erosion  as  part  of  the 
California  Coastal  Records  Project.” 

The  most  famous  example  of  The  Streisand  Effect  from  the  world 
of  technology  involved  digital  rights  management  code,  HD  DVD 
disks,  and,  thanks  primarily  to  Diggjust  about  everybody  on  the 
Internet. 

Finally,  I  have  a  question:  Is  there  a  name  for  people  who  make 
fun  of  other  people  for  not  knowing  an  Internet  meme  like  The 
Streisand  Effect? 

I  ask  because  I  anticipate  being  ridiculed  for  my  admission  that 
I  didn’t  know  this  one  and  I’d  like  to  be  prepared  with  a  snappy 
comeback  since  simply  covering  up  the  insults  would  only  pro¬ 
duce  —  well,  you  know. 

Answers  and  insults  to  buzz@nww.com. 
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COMPLIMENTARY  SYSTEMS  ADVISOR  TOOL 

=  =-r  ~=  express 

Want  to  find  the  right  server  or  storage  system  for  you? 

Our  Systems  Advisor  Tool  can  help.  Just  give  the  tool  a  little 

Y  =%  advantage™ 

input,  and  it  will  identify  products  that  can  help  meet  your 

ibm.com/systems/uptime 

business  needs.  Get  started  now  at  ibm.com/systems/uptime 

1  866-872-3902  (mention  6N8AH04A) 

1  IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers.  Monthly  payments  provided  are  for  planning  purposes 
only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  ari  FMV  lease  of  36  monthly  payments.  Other  restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice. 

2.  IBM  hardware  products  are  manufactured  from  new  parts,  or  new  and  serviceable  used  parts.  Regardless,  our  warranty  temis  apply.  For  a  copy  of  applicable  product  warranties,  visit  ibm.com/servers/support/machinejwarranties  or  write  to:  Warranty 
information,  P.0  Box  12195,  RTP.  NC  27709.  Attn:  Dept.  JDJA/B203.  IBM  makes  no  representation  or  warranty  regarding  third-party  products  or  services,  including  those  designated  as  ServerProven*  or  ClusterProven*  Telephone  support  may  be  subject 
to  additional  charges.  For  on-site  labor,  IBM  will  attempt  to  diagnose  and  resolve  the  problem  remotely  before  sending  a  technician.  On-site  warranty  is  available  only  for  selected  components  Optional  same-day  service  response  is  available  ion  select 
systems]  at  an  additional  charge.  IBM,  the  IBM  logo,  IBM  Express  Advantage,  System  x  and  System  Storage  are  trademarks  ot  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  For  a  complete  list  of  IBM  Trademarks, 
see  ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  toe  U.S.  and  other  countries.  All  other  products  may  be  trademarks  or  registered  trademarks  ot  their  respective 
companies.  All  prices  and  savings  estimates  are  based  upon  IBM's  estimated  retail  selling  prices  as  of  03/24/2008.  Prices  and  actual  savings  may  vary  according  to  configuration.  Resellers  set  their  own  prices,  so  reseller  prices  and  actual  savings  to  end 
users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United  States.  I8M  may  not  otter  toe  products,  features,  or  services  discussed  in  this  document  in  other  countries.  Prices  are  subject  to  change  without 
notice.  Starting  price  may  not  include  a  hard  drive,  operating  system  or  other  features.  Contact  your  IBM  representative  or  IBM  Business  Partner  for  toe  most  current  pricing  in  your  geographic  area.  ©  2008  iBM  Corporation.  All  rights  reserved. 


With  NetApp  at  the  heart  of  your  business,  you  can 


and  bring  breakthrough  ideas  to  market  faster 


Leave  your  competition  behind.  Because  with  NetApp,  you  can  provision,  test,  and  deploy  new  applications 
in  days  instead  of  months,  keeping  your  business  a  step  ahead.  What’s  more,  you’ll  love  the  commitment  of  our 
team  of  experts  who  share  your  drive  and  winning  vision.  Learn  how  our  storage  and  data  management 
solutions  can  help  your  business  go  further,  faster.  Visit  netapp.com/breakthrough. 


NetApp 

Go  further,  faster 


©  2008  NetApp.  All  rights  reserved.  Specifications  are  subject  to  change  without  notice.  NetApp,  the  NetApp  logo,  and  Go  further,  faster  are  trademarks  or  registered  trademarks  of  NetApp,  Inc. 
in  the  United  States  and/or  other  countries.  All  other  brands  or  products  are  trademarks  or  registered  trademarks  of  their  respective  holders  and  should  be  treated  as  such. 


